By Kyle Duncan and Noah Mizell, Cofense Phishing Defense Center
For the past few months, businesses across the nation have suffered from the financial strain brought on by COVID-19. Government relief has become a major concern as businesses struggle to stay afloat. The Cofense Phishing Defense Center (PDC) has taken notice of a new phishing campaign that once again aims to abuse Covid-related fear and uncertainty. This campaign imitates the U.S. Small Business Administration (SBA) to harvest the credentials of business owners who may be expecting the administration’s assistance.
While the spoofed address for this attack is one the SBA uses and is even listed on their website, one brief look at this example’s “Received” path shows it did not originate from the SBA.
Figure 1-2: Email Header
These first four stops on the email’s Received path indicate that the email originated from Japanese email servers. This can not only be seen in the Received path but also in other fields of the header information. The Japanese IP address is seen in the Authentication-Results-Original and the Japanese domain can be seen in the Message-ID in some cases.
Figure 3-4: Email Body
The email body of this phish is very clean and well-constructed. Barring the excessive use of commas, the email looks legitimate at a glance. The threat actor has even compiled legitimate logo images and contact information to help sell the deception. Small business owners who have applied for federal aid would be hopeful and relieved to see this message in their inbox.
When you hover over the “Review and Proceed” button, however, the facade falls. Instead of sending users to SBA.gov, this button will redirect to the phishing page:
The phishing page at this URL redirects to an SBA phishing login page with similar logo, positioning, and details to the real site. While the phishing domain differs, the threat actor has notably attempted to mirror the URL structure from the legitimate SBA’s login URL by tossing in ‘covid19relief’ into the directory name.
Figure 5: Phishing Page
Upon entering their login credentials, users are then redirected to the official SBA website, specifically the login page as seen in Figure 5.
Figure 6: Official Small Business Association Page
Instead of receiving aid, business owners who fall for the scam give away their credentials—adding insult to injury.
LEARN MORE about the Cofense Phishing Defense Center. See how the PDC’s managed phishing response and remediation stops phishing attacks that elude email gateways.