Beware Of New HR Payroll Phishing Attack Targeting Numerous Employees

   December 5, 2024  Posted in CyberSecurityNews


A sophisticated phishing campaign dubbed “Payroll Pirates” is currently targeting employees of various high-profile organizations.

While the targets include California Employment Development Department (EDD), Kaiser Permanente, Macy’s, New York Life, and Roche.

This ongoing malicious operation aims to carry out payroll redirects by exploiting human resources (HR) systems, particularly focusing on Workday users.

Besides this, cybersecurity researchers at Silent Push discovered that the threat actors employ a multi-faceted approach to lure unsuspecting victims:-

  1. Malicious Search Advertising: Sponsored phishing websites appear in Google search results.
  2. Spoofed HR Pages: Convincing replicas of legitimate HR portals are created to deceive employees.
  3. Credential Exploitation: Using additional information like social security numbers, likely obtained from underground forums, the scammers gain access to employee portal accounts.
  4. Fund Redirection: Once inside, they alter the victim’s banking information to divert funds to fraudulent accounts under their control.
Steps of Payroll Pirates (Source – Silent Push)

Free Webinar on Best Practices for API vulnerability & Penetration Testing:  Free Registration

Infrastructure and Tactics

The Payroll Pirates demonstrate a high level of sophistication in their operations:-

  • Website Builders: Utilize platforms like Leadpages, Mobirise, and Wix for rapid domain setup.
  • Dedicated IP Ranges: Employ new pools of infrastructure with tactical shifts aligned to specific timeframes.
  • Preferred Registrars: Host phishing content primarily on Dynadot, Porkbun, and Namecheap.
  • Custom Structures: In some cases, they create directory structures matching real HR portal layouts to increase credibility.

The campaign has been observed targeting various HR and payroll systems:-

  • Workday
  • BambooHR
  • Unemployment portals (like California EDD)
  • Company-specific HR portals (like Macy’s, Roche, Kaiser Permanente)

Silent Push Threat Analysts have identified hundreds of domains associated with this campaign.

Phishing Pages (Source – Silent Push)

The threat actors continually adapt their tactics, shifting from unemployment benefits scams to payroll phishing and updating their templates.

They have also been observed targeting financial institutions with similar phishing techniques.

Organizations and employees should remain vigilant and implement strong security measures:-

  • Verify the authenticity of HR-related communications and login pages.
  • Implement multi-factor authentication for HR and payroll systems.
  • Educate employees about the latest phishing tactics and red flags.
  • Regularly monitor for unauthorized changes to payroll information.

Apart from this, the ongoing monitoring and threat intelligence sharing within the security community remain crucial in combating this persistent threat to corporate payroll systems and employee financial security.

Analyse Real-World Malware & Phishing Attacks With ANY.RUN - Get up to 3 Free Licenses



Source link