Hackers spoof SBA to try to compromise companies’ computers

The hackers are exploiting businesses' reliance on digital updates from the federal government.
Small Business Administration (SBA)
Someone is spoofing the SBA to try to hack small businesses queuing up for loans during the coronavirus pandemic. ( / CC BY 2.0 / Flickr)

With the U.S. Small Business Administration continuing to play a high-profile role in getting cash to companies that are struggling because of the coronavirus pandemic, cybercriminals are stepping up their efforts to steal money from those very firms.

Research published Monday by IBM’s incident response team shows that attackers are spoofing the SBA in emails to try to install a remote hacking tool capable of stealing passwords and accessing webcams. They are exploiting attention on a nascent SBA program that offers up to $10 million in lending per business.

If an unsuspecting recipient opens the emails found by IBM, a data-stealing remote access trojan (RAT) known as Remcos can take control of the person’s computer. It is another example of how, as U.S. agencies have opened their spigots to provide hundreds of billion of dollars in relief to American businesses during the pandemic, cybercriminals have looked to pounce.

The hackers are “exploiting the reliance of … small businesses on digital updates to obtain guidance on how to receive federal aid,” the researchers wrote in a blog.


It’s unclear who is behind the hacking attempts, or how many, if any, small businesses were compromised. The research doesn’t address why crooks are trying to breach companies that might be short on cash while they wait for the SBA’s help. Regardless, cybercriminals are wont to swindle any victim they can. Even companies that were thriving before the health crisis have been queuing up for SBA loans, widening the pool of targets.

Over the last two years, the Remcos RAT, which is promoted for sale by a software company known as BreakingSecurity, has been used in hacking campaigns against international news organizations and Turkish defense contractors, among other sectors.

The emails found by IBM are written in poor grammar, spoofing a “disaster customer service” SBA email address. The researchers think the hackers breached the domain of a legitimate company, which they did not name, in order to send out the phishing emails under the guise of the SBA.

As U.S. lawmakers prepared to pass the first of multiple stimulus packages last month, security analysts were already warning that COVID-19 relief payments would attract a panoply of fraudsters. A month later, the fleecing shows no signs of letting up, with the FBI issuing multiple advisories on COVID-19 scams. Law enforcement agencies have tried to crack down, announcing the takedown of hundreds of fraud-peddling websites last week.

The hacking attempts discovered by IBM come as the SBA is still cleaning up an unrelated data incident from last month. The agency has been notifying nearly 8,000 businesses whose personally identifiable information may have been exposed because of a flaw in the agency’s online loan-application portal.

Sean Lyngaas

Written by Sean Lyngaas

Sean Lyngaas is CyberScoop’s Senior Reporter covering the Department of Homeland Security and Congress. He was previously a freelance journalist in West Africa, where he covered everything from a presidential election in Ghana to military mutinies in Ivory Coast for The New York Times. Lyngaas’ reporting also has appeared in The Washington Post, The Economist and the BBC, among other outlets. His investigation of cybersecurity issues in the nuclear sector, backed by a grant from the Pulitzer Center on Crisis Reporting, won plaudits from industrial security experts. He was previously a reporter with Federal Computer Week and, before that, with Smart Grid Today. Sean earned a B.A. in public policy from Duke University and an M.A. in International Relations from The Fletcher School of Law and Diplomacy at Tufts University.

Latest Podcasts