Summary

The Cybersecurity and Infrastructure Security Agency (CISA) is currently tracking an unknown malicious cyber actor who is spoofing the Small Business Administration (SBA) COVID-19 loan relief webpage via phishing emails. These emails include a malicious link to the spoofed SBA website that the cyber actor is using for malicious re-directs and credential stealing.

For a downloadable copy of IOCs, see STIX file.

Technical Details

CISA analysts observed an unknown malicious cyber actor sending a phishing email to various Federal Civilian Executive Branch and state, local, tribal, and territorial government recipients. The phishing email contains:

  • A subject line, SBA Application – Review and Proceed
  • A sender, marked as disastercustomerservice@sba[.]gov
  • Text in the email body urging the recipient to click on a hyperlink to address:
    https://leanproconsulting.com.br/gov/covid19relief/sba.gov
  • The domain resolves to IP address: 162.214.104.246

Figure 1 is a screenshot of the webpage arrived at by clicking on the hyperlink.

Malicious warning alert

Mitigations

CISA recommends using the following best practices to strengthen the security posture of an organization’s systems. System owners and administrators should review any configuration change prior to implementation to avoid unwanted impacts.

Resources

CLIENT SUPPORT