Subscribe to receive notifications of new posts:

Latest SBA phishing attempt: stealthy social engineering phish using newly registered domains attempts to gain bank details

2020-09-09

5 min read

This blog originally appeared in September 2020 on the Area 1 Security website, and was issued in advance of Cloudflare's acquisition of Area 1 Security on April 1, 2022. Learn more.

Congress may be in a deadlock over a second stimulus package, but malicious actors are always ready to pounce on the slightest opportunity to exploit the public’s confusion. The US Small Business Administration (SBA) is being impersonated in Coronavirus-themed phishing messages that leverage unfamiliarity with loan application procedures. With many small businesses relying on loans from the SBA to keep their doors open during the quarantine slump, cyber criminals are capitalizing on delays in loan approvals to swindle businesses.

Since at least April, malicious actors have been impersonating the SBA in various campaigns leveraging diverse Tactics, Techniques and Procedures (TTPs), such as malicious payloads, credential harvesters, and stealthy social engineering, all aimed at severely compromising devices and stealing money from companies. In our “How to Stop Financial Phishing Attacks” webinar earlier this year (available on-demand here), we covered one such campaign, which attempted to spread GuLoader malware.

A Simple Yet Effective Approach

The latest wave of attacks involves a clever social engineering tactic that can fly under almost any radar. This phishing message does not contain errant red flags that would maladroitly trigger a litany of detections. Unlike the previously observed campaigns, this wave of attacks does not contain any malicious payloads, only a benign attachment named SBA - Disaster Loan Assistance Form.pdf. The attacker opts for a clever and silent attack vector, relying on the target believing the email is indeed from the SBA.

Looking at the email below, it is clear this is not your typical 419 phishing scam, poorly masquerading as an official entity to solicit money. The attacker ensures that even the smallest of details are correct in order to give the message a more credible appearance:

  • First, the Sender email address looks entirely legitimate.

  • Second, the target’s full name appears in the body of the message, as opposed to just a mere email address, as is often seen in more low-level attacks.

  • Lastly, the message is free of typos and the formatting is clean and professional.

The attacker successfully spoofs the FROM headers of the real SBA Disaster Customer Service account, as seen on the left. Unfortunately, replying to this email will not send your Economic Injury Disaster Loan (EIDL) application to the SBA, but instead to the attacker’s account at the malicious Reply-To domain, as shown on the right.

Just days before launching this campaign, the attacker created the malicious Reply-To domain gov-sba[.]us using bogus registration information. Whois details for this newly registered domain (NRD) are shown below.

Domain Name: gov-sba[.]us
Registry Domain ID: D18007599F1554B3DAA9B6AFEA0F4235C-NSR
Registrar WHOIS Server:
Registrar URL: www.psi-usa.info
Updated Date: 2020-08-05T06:22:13Z
Creation Date: 2020-07-31T06:22:09Z
Registry Expiry Date: 2021-07-31T06:22:09Z
Registrar: PSI-USA, Inc. dba Domain Robot
Registrar IANA ID: 151
Registrar Abuse Contact Email:
Registrar Abuse Contact Phone:
Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited
Registry Registrant ID: C186298DF566447488A165F7E4F5B8F60-NSR
Registrant Name: Krikor Derabrahamian
Registrant Organization:
Registrant Street: Rotenloewengasse 15
Registrant City: Wien
Registrant State/Province: US
Registrant Postal Code: 1090
Registrant Country: US
Registrant Phone: +44.7418440320
Registrant Email: office@teamtours.at
Registrant Application Purpose: P5
Registrant Nexus Category: C31/US
Registry Admin ID: C5DF36C6EB720453A8CB08A1FC96AB740-NSR
Admin Name: Krikor Derabrahamian
Admin Organization:
Admin Street: Rotenloewengasse 15
Admin City: Wien
Admin State/Province: AT
Admin Postal Code: 1090
Admin Country: AT
Admin Phone: +44.7418440320
Admin Email: office@teamtours.at
Admin Application Purpose: P5
Admin Nexus Category: C31/AT
Registry Tech ID: C5651DB7CEC1B420BAE1B3F7BE7E214B0-NSR
Tech Name: Gerald Auer
Tech Organization: World4You Internet Services GmbH
Tech Street: Hafenstrasse 47-51
Tech City: Linz
Tech State/Province: OOE
Tech Postal Code: 4020
Tech Country: AT
Tech Phone: +43.73293035
Tech Fax: +43.7329303510
Tech Email: techadmin@world4you.com
Tech Application Purpose: P5
Tech Nexus Category: C31/AT
Name Server: ns2.world4you.at
Name Server: ns1.world4you.at
DNSSEC: unsigned

NRDs are consistently used by attackers to fool users into taking actions that jeopardize the security of their organization. Phishing that leverages NRDs is a particularly effective tactic for a variety of reasons. For one thing, it is a common attacker technique to circumvent Secure Email Gateways (SEGs). New domains have very little history or presence, which allows them to bypass typical blocklists. In fact, a significant number of campaigns that Area 1 Security catches leverage new domains, which are often ephemeral (active only for about 48 hours or less).

Attackers commonly impersonate trusted entities in order to dupe targets into letting their guard down. This is made all the easier by registering an NRD that is also a malicious look-alike domain, in this case gov-sba[.]com. As a result, the true sender domain, buried deep within an email’s headers, is often overlooked. This is particularly the case when phish are opened via mobile devices, such as cell phones, where true sender domains are often hidden, and only Display Names are provided. What’s more, it requires fairly burdensome actions to reveal this type of information in most mobile device (and other purpose-built) mail clients.

To further con targets into filling out the fraudulent EIDL application, the attacker successfully spoofed the SBA’s legitimate sender address, disastercustomerservice@sba.com. In a stealthy move, the attacker actually inserted an SMTP HELO command, as shown below.

Authentication-Results-Original: 990w8b.myvserver.online;	spf=pass (sender IP
 is 64.44.141.5) smtp.mailfrom=disastercustomerservice@sba.gov
 smtp.helo=sba.gov
Received-SPF: pass (990w8b.myvserver.online: connection is authenticated)
Reply-To: "U.S. Small Business Administration (SBA)" <disastercustomerservice@gov-sba.us>
From: "U.S. Small Business Administration (SBA)" <disastercustomerservice@sba.gov>

The HELO command told the receiving email server to treat the message as if it originated from SBA’s domain, when in fact the sender actually had a completely different domain and IP address, namely 990w8b[.]myvserver[.]online and 64[.]44[.]141[.]5. This resulted in various legacy email security solutions accepting the message for delivery.

Reply with Bank Details

A target’s reply to this phish is the lynchpin of the whole scam, given the attached EIDL application requests private financial information. Further, the likelihood of a reply is dramatically increased by the seemingly benign and unassuming nature of this purported government form. In the body of the message, the attacker provides instructions to simply reply to the email with a completed EIDL application, of course making sure to note that all personal and banking details must be correct.

Looking at the PDF below, it’s almost impossible to believe this is a forgery, especially with a valid Office of Management and Budget (OMB) form number. In fact, the PDF closely resembles the legitimate Business Information form of the SBA’s online application for EIDL, and even includes an oath at the bottom certifying that all information is true under penalty of perjury. With this attached PDF the attacker clearly has one goal in mind -- steal sensitive account and routing information from businesses.

The only telltale sign that this application is a forgery can be found buried in the document properties, where no typical target would venture:

  • Firstly, as seen below, this PDF was created with Skia, an open-source graphics engine for a variety of web platforms. This is a big deviation from the standard Adobe PDF Library that is used to create such documents.

  • Secondly, the document’s timestamp reveals that it was recently created on July 31st, 2020, long after the creation of the legitimate EIDL form.

Exposing the Imposter

To thwart these sneaky SBA-themed phish, Area 1 Security uses multiple advanced techniques that leverage insight gained from early identification of attacker campaign infrastructure, enabling superior detection of emails from spoofed domains and accounts. Our anti-phishing service analyzes email for threat indicators, such as recently registered domains, domain name obfuscation, and look-a-like domains. Additionally, the service uses real-time correlation with associated brand infrastructure to verify authenticity.

Area 1 also uses lexical analysis of message body and subject to detect financially driven attacks. Headers are checked for sender display name and true sender mismatches, and SPF, DKIM, and DMARC records are checked to validate the sender. Using preemptive threat hunting and a broad set of proprietary analysis techniques, Area 1 identifies phishing campaigns, including those with malicious newly registered domains, that other defenses miss.

Recommendations

The official SBA website provides information on protecting yourself from these scams. The SBA will never proactively contact you for loan applications. If you receive an email asking for additional information regarding an existing loan application, first ensure there is an application number referenced in the email, and it matches your application.

If you suspect that you have received an SBA phishing email, call the Office of Inspector General Hotline at 800-767-0385 or report it online, Office of Inspector General Hotline.

Area 1 Security‘s advanced Machine Learning and Artificial Intelligence technology leverages algorithms to uncover new tactics malicious actors are using to bypass legacy vendors and cloud email providers in real-time versus waiting days or weeks for signature updates. Our time-zero detections lead the industry with reliable verdicts that stop phishing attempts at delivery time. This has many advantages over post-delivery retraction in that the user is never exposed to the attack.

Indicators of Compromise

Reply-To Address:

disastercustomerservice@gov-sba[.]us

Malicious look-alike NRD:

gov-sba[.]us

Sender IP:

64[.]44[.]141[.]5

Sender Domain:

990w8b[.]myvserver[.]online

Cloudflare's connectivity cloud protects entire corporate networks, helps customers build Internet-scale applications efficiently, accelerates any website or Internet application, wards off DDoS attacks, keeps hackers at bay, and can help you on your journey to Zero Trust.

Visit 1.1.1.1 from any device to get started with our free app that makes your Internet faster and safer.

To learn more about our mission to help build a better Internet, start here. If you're looking for a new career direction, check out our open positions.
Email SecurityCloud Email SecurityPhishing

Follow on X

Cloudflare|@cloudflare

Related posts

October 08, 2024 1:00 PM

Cloudflare acquires Kivera to add simple, preventive cloud security to Cloudflare One

The acquisition and integration of Kivera broadens the scope of Cloudflare’s SASE platform beyond just apps, incorporating increased cloud security through proactive configuration management of cloud services. ...

May 30, 2024 1:00 PM

Disrupting FlyingYeti's campaign targeting Ukraine

In April and May 2024, Cloudforce One employed proactive defense measures to successfully prevent Russia-aligned threat actor FlyingYeti from launching their latest phishing campaign targeting Ukraine...