Darktrace email finds: COVID-19 relief spoof

Dan Fein, Director of Email Security Products | Thursday August 13, 2020

In March 2020, we documented the rise of Fearware: a type of email attack that involves exploiting a collective sense of fear and urgency in order to coax recipients into clicking on a malicious attachment or link. In the following weeks we saw over 130,000 new email domains registered to perform COVID-19 phishing. Five months on, this activity has unfortunately become the norm for cyber-criminals, who continue to take advantage of the pandemic in their attacks.

In recent weeks, Darktrace’s AI has identified cyber adversaries pivoting from claiming to offer urgent health-related advice or localized infection data, to impersonating relief funds in a particularly malevolent attempt to damage already struggling small businesses.

100%
Mon Jul 27 2020, 16:04:11
Recipient:Anna Gumble <[email protected]nc.org>
SBA Application – Review and Proceed
Email Tags
Spam
Spoofing
Suspicious Link
Actions on Email
Double Lock Link
Hold Message
Move to Junk

Figure 1: An interactive snapshot of Antigena Email’s user interface

A small business that had deployed Antigena Email was recently hit with a series of 10 spoofing emails claiming to be from the US Small Business Administration (SBA) about COVID-19 relief funds.

Note how the sender domain actually appears as sba.gov, just as it would in the recipient’s email client. This is possibly due to well-known and inherent weaknesses in Simple Mail Transfer Protocol (SMTP). In reality, the email originated from a mail server in Japan, and the link directs users to a compromised Brazilian domain which is unrelated to the SBA.

Figure 2: The fake login page

The above screenshot displays the fake login page that users are directed to after clicking the link. The page uses the logo of SBA and is formatted in the same style as legitimate pages from the genuine SBA website, such as the ‘forgotten password’ page below.

Figure 3: A screenshot from the legitimate SBA website

This Darktrace customer was a small business and may have been seeking funds. If this was the case, it could have easily fallen victim to this malicious attack targeting already vulnerable organizations. This attack shows how cyber-criminals continue to be creative and timely with their social engineering methods – and will stop at nothing in pursuit of their goals.

Antigena Email sits behind gateway tools, and so like every other threat that it detects and neutralizes, this email went undetected by the email provider’s built-in security tools or other gateway tools in place. Darktrace’s AI detected the rare link based on its understanding of normal communication patterns for the business, and recognized this as a spoofing attempt, preventing the message from ever reaching the inbox and protecting this vulnerable business from damage.

For an analysis of 13 more email attacks, read the Email Security Threat Report 2020

Dan Fein

Based in New York, Dan is the Director of Email Security Products for the Americas. He joined Darktrace’s technical team in 2015, helping customers quickly achieve a complete and granular understanding of Darktrace’s world-leading Cyber AI Platform and products. Dan has a particular focus on Antigena Email, ensuring that it is effectively deployed in complex digital environments, and works closely with the development, marketing, sales, and technical teams. Dan holds a Bachelor’s degree in Computer Science from New York University.