Malicious Cyber Actor Spoofing COVID-19 Loan Relief Webpage via Phishing Emails

Technical Details

CISA analysts observed an unknown malicious cyber actor sending a phishing email to various Federal Civilian Executive Branch and state, local, tribal, and territorial government recipients. The phishing email contains:

  • A subject line, SBA Application – Review and Proceed
  • A sender, marked as disastercustomerservice@sba[.]gov
  • Text in the email body urging the recipient to click on a hyperlink to address:
  • hxxps://leanproconsulting[.]com.br/gov/covid19relief/sba.gov
  • The domain resolves to IP address: 162.214.104[.]246

Below is a screenshot of the webpage arrived at by clicking on the hyperlink in the email.

 

Read the full alert including Mitigation recommendations here.