The Cybersecurity and Infrastructure Security Agency (CISA) is currently tracking an unknown malicious cyber actor who is spoofing the Small Business Administration (SBA) COVID-19 loan relief webpage via phishing emails. These emails include a malicious link to the spoofed SBA website that the cyber actor is using for malicious re-directs and credential stealing.
CISA analysts observed an unknown malicious cyber actor sending a phishing email to various Federal Civilian Executive Branch and state, local, tribal, and territorial government recipients. The phishing email contains:
A subject line, SBA Application – Review and Proceed
A sender, marked as disastercustomerservice@sba[.]gov
Text in the email body urging the recipient to click on a hyperlink to address: hxxps://leanproconsulting[.]com.br/gov/covid19relief/sba.gov
The domain resolves to IP address: 162.214.104[.]246
For more information about the attack please click here.