Pretext

Coronavirus Pandemic Loan

The US Small Business Administration providing business owners with a form to fill out to apply for a pandemic-relief loan.

Methods
phone email sms voicemail chatbot physical
Payloads
doc docx xls xlsx ppt pptx pdf hta exe bat zip xss csrf click-once phishing page ole drive-by-download usb drop cloud hosted file
Goals
cred harvest malware physical access info gather bec
Description

The United States Small Business Administration (SBA) provides tools and resources to US-based small businesses. One of the many resources offered by the SBA are loans. During the COVID-19 pandemic, the government authorized loans to support small businesses suffering during the pandemic. There was a lot of confusion surrounding the program since it was created in a matter of a few weeks. This email seeks to capitalize on the confusion and needs of small business owners (and their finance department) by providing a fake loan application form for small business owners to fill out and return to the "SBA" (aka the attacker). The form provided asks for personal information like financial information, bank statements, identity information, etc. The form could be sent as an attached document or a link to an online webform. When the victim returns the form to the attacker, they could then use their personal information for other scams. Note that this pretext could be used in other countries; however, the SBA would need to change to the local equivalent.

Example Email(s)

Source: https://www.bleepingcomputer.com/news/security/cisa-alerts-of-phishing-attack-targeting-sba-loan-relief-accounts/

From: disastercustomerservice@sba.gov
Subject: Coronavirus Pandemic Loan (COVID-19)

Dear {FIRST NAME}, As you might have heard, the US Federal Government has authorized the Small Business Administration (SBA) to provide small business owners with emergency financial relief during the Coronavirus pandemic. The SBA will provide a select group of US small businesses with up to $300,000 in loans. These loans will automatically convert to grants (meaning you do not have to pay them back), if you do not fire any employees before September. To apply for this loan, please visit the following website and fill out the form completely. Note: Incomplete applications will not be considered. Thank you, U.S. SBA

Example Payload Ideas

An online form requesting victim personal identity and financial information, such as SSNs, EIN, bank routing numbers, business revenue, etc.

A Word document containing a form requesting victim personal identity and financial information, such as SSNs, EIN, bank routing numbers, business revenue, etc. The email should state that in order to apply for loan relief, the victim must attach the completed form in a reply email.

Analysis

This pretext prays on small businesses in an extremely vulnerable financial situation by offering them the allure of additional funding. Also, at the time this pretext was heavily used, there was a lot of confusion surrounding the loan program application process, which aided attackers in tricking victims into providing their info.

Resources