Our mission is making INBOX.CLEAN™ a reality: stop phishing attacks — the root cause of 95% of breaches — before they reach users. Get the only solution that preemptively stops Business Email Compromise, malware, ransomware and other advanced threats by discovering and eliminating them before they cause damage.
Email Security has certainly come a long way. With cloud messaging now the standard versus the legacy on premise approach (Lotus Notes anyone?) the strategy of securing these clouds has also experienced a revolution.
Area 1’s cloud-native SaaS solution supports three key use cases: preemptive anti-phishing across all threat vectors (email, web, social, network); cloud email security / SEG replacement; and phishing security automation for SOC teams.
Area 1 is a Microsoft Certified Partner and a Google Cloud Security Technology Partner of the Year. We also integrate with a number of SIEM, SOAR, SEG and firewall technology providers to fit your unique infrastructure. Learn More
FIND A CHANNEL PARTNER
Work with trusted cybersecurity experts across the globe to secure your business. Learn about our partnerships with Legato Security, Optiv, SADA Systems, SYNNEX and others. Channel Partners Become A Channel Partner
Congress may be in a deadlock over a second stimulus package, but malicious actors are always ready to pounce on the slightest opportunity to exploit the public’s confusion. The US Small Business Administration (SBA) is being impersonated in Coronavirus-themed phishing messages that leverage unfamiliarity with loan application procedures. With many small businesses relying on loans from the SBA to keep their doors open during the quarantine slump, cyber criminals are capitalizing on delays in loan approvals to swindle businesses.
Since at least April, malicious actors have been impersonating the SBA in various campaigns leveraging diverse Tactics, Techniques and Procedures (TTPs), such as malicious payloads, credential harvesters, and stealthy social engineering, all aimed at severely compromising devices and stealing money from companies. In our “How to Stop Financial Phishing Attacks” webinar earlier this year (available on-demand here), we covered one such campaign, which attempted to spread GuLoader malware.
A Simple Yet Effective Approach
The latest wave of attacks involves a clever social engineering tactic that can fly under almost any radar. This phishing message does not contain errant red flags that would maladroitly trigger a litany of detections. Unlike the previously observed campaigns, this wave of attacks does not contain any malicious payloads, only a benign attachment named SBA – Disaster Loan Assistance Form.pdf. The attacker opts for a clever and silent attack vector, relying on the target believing the email is indeed from the SBA.
Looking at the email below, it is clear this is not your typical 419 phishing scam, poorly masquerading as an official entity to solicit money. The attacker ensures that even the smallest of details are correct in order to give the message a more credible appearance:
First, the Sender email address looks entirely legitimate.
Second, the target’s full name appears in the body of the message, as opposed to just a mere email address, as is often seen in more low-level attacks.
Lastly, the message is free of typos and the formatting is clean and professional.
The attacker successfully spoofs the FROM headers of the real SBA Disaster Customer Service account, as seen on the left. Unfortunately, replying to this email will not send your Economic Injury Disaster Loan (EIDL) application to the SBA, but instead to the attacker’s account at the malicious Reply-To domain, as shown on the right.
Just days before launching this campaign, the attacker created the malicious Reply-To domain gov-sba[.]us using bogus registration information. Whois details for this newly registered domain (NRD) are shown below.
NRDs are consistently used by attackers to fool users into taking actions that jeopardize the security of their organization. Phishing that leverages NRDs is a particularly effective tactic for a variety of reasons. For one thing, it is a common attacker technique to circumvent Secure Email Gateways (SEGs). New domains have very little history or presence, which allows them to bypass typical blocklists. In fact, a significant number of campaigns that Area 1 Security catches leverage new domains, which are often ephemeral (active only for about 48 hours or less).
Attackers commonly impersonate trusted entities in order to dupe targets into letting their guard down. This is made all the easier by registering an NRD that is also a malicious look-alike domain, in this case gov-sba[.]com. As a result, the true sender domain, buried deep within an email’s headers, is often overlooked. This is particularly the case when phish are opened via mobile devices, such as cell phones, where true sender domains are often hidden, and only Display Names are provided. What’s more, it requires fairly burdensome actions to reveal this type of information in most mobile device (and other purpose-built) mail clients.
To further con targets into filling out the fraudulent EIDL application, the attacker successfully spoofed the SBA’s legitimate sender address, [email protected] In a stealthy move, the attacker actually inserted an SMTP HELO command, as shown below.
The HELO command told the receiving email server to treat the message as if it originated from SBA’s domain, when in fact the sender actually had a completely different domain and IP address, namely 990w8b[.]myvserver[.]online and 64[.]44[.]141[.]5. This resulted in various legacy email security solutions accepting the message for delivery.
Reply with Bank Details
A target’s reply to this phish is the lynchpin of the whole scam, given the attached EIDL application requests private financial information. Further, the likelihood of a reply is dramatically increased by the seemingly benign and unassuming nature of this purported government form. In the body of the message, the attacker provides instructions to simply reply to the email with a completed EIDL application, of course making sure to note that all personal and banking details must be correct.
Looking at the PDF below, it’s almost impossible to believe this is a forgery, especially with a valid Office of Management and Budget (OMB) form number. In fact, the PDF closely resembles the legitimate Business Information form of the SBA’s online application for EIDL, and even includes an oath at the bottom certifying that all information is true under penalty of perjury. With this attached PDF the attacker clearly has one goal in mind — steal sensitive account and routing information from businesses.
The only telltale sign that this application is a forgery can be found buried in the document properties, where no typical target would venture:
Firstly, as seen below, this PDF was created with Skia, an open-source graphics engine for a variety of web platforms. This is a big deviation from the standard Adobe PDF Library that is used to create such documents.
Secondly, the document’s timestamp reveals that it was recently created on July 31st, 2020, long after the creation of the legitimate EIDL form.
Exposing the Imposter
To thwart these sneaky SBA-themed phish, Area 1 Security uses multiple advanced techniques that leverage insight gained from early identification of attacker campaign infrastructure, enabling superior detection of emails from spoofed domains and accounts. Our anti-phishing service analyzes email for threat indicators, such as recently registered domains, domain name obfuscation, and look-a-like domains. Additionally, the service uses real-time correlation with associated brand infrastructure to verify authenticity.
Area 1 also uses lexical analysis of message body and subject to detect financially driven attacks. Headers are checked for sender display name and true sender mismatches, and SPF, DKIM, and DMARC records are checked to validate the sender. Using preemptive threat hunting and a broad set of proprietary analysis techniques, Area 1 identifies phishing campaigns, including those with malicious newly registered domains, that other defenses miss.
The official SBA website provides information on protecting yourself from these scams. The SBA will never proactively contact you for loan applications. If you receive an email asking for additional information regarding an existing loan application, first ensure there is an application number referenced in the email and it matches your application. If you suspect that you have received an SBA phishing email, call the Office of Inspector General Hotline at 800-767-0385 or report it online, Office of Inspector General Hotline.
Area 1 Security‘s advanced Machine Learning and Artificial Intelligence technology leverages algorithms to uncover new tactics malicious actors are using to bypass legacy vendors and cloud email providers in real-time versus waiting days or weeks for signature updates. Our time-zero detections lead the industry with reliable verdicts that stop phishing attempts at delivery time. This has many advantages over post-delivery retraction in that the user is never exposed to the attack.
Secure email gateways, cloud email suites, DMARC and other solutions often miss over 30 percent of phishing attack campaigns and advanced email threats. To request an assessment of your current phishing risks, please visit https://www.area1security.com/phishing-risk-assessment/.
Want to keep up to date with the latest phishing trends?
Business Email Compromise (BEC), also sometimes referred to as email account compromise (EAC) or vendor email compromise (VEC), is a type of phishing attack that takes advantage of an existing relationship between a victim and organization.
https://www.area1security.com/wp-content/uploads/2022/04/BlogEmailBanner_BECAttackType_2022APR14.png13072500Elaine Dzubahttps://www.area1security.com/wp-content/uploads/2022/04/Cloudflare-A1S-Logo-1-1.pngElaine Dzuba2022-04-18 10:07:242022-04-28 08:48:24Understanding the Four Business Email Compromise Attack Types
Dear America’s sports-loving, company-securing fans: Before you find yourself glued this weekend to (what some call) THE biggest game in college basketball history, we are here to crown the 2022 March Hackness winner!
https://www.area1security.com/wp-content/uploads/2022/03/Champion-Banner_2.png10002500Elaine Dzubahttps://www.area1security.com/wp-content/uploads/2022/04/Cloudflare-A1S-Logo-1-1.pngElaine Dzuba2022-03-31 06:00:292022-04-28 08:49:23Area 1 Security Announces the Most Spoofed Brand of 2021
Area 1 Security’s Sixth Annual March Hackness: The Perfect Phishing Bracket is here! Learn who made the list of the top brands that attackers use in phishing lures.
https://www.area1security.com/wp-content/uploads/2022/03/SocialBanner_Blog_MarchHackness2021_2500x1000-Copy-2.jpg10002500Elaine Dzubahttps://www.area1security.com/wp-content/uploads/2022/04/Cloudflare-A1S-Logo-1-1.pngElaine Dzuba2022-03-26 20:45:192022-04-28 08:51:272022 March Hackness: The Return of the Phishing Bracket