Hackers Masquerade as Organizations to Steal Payroll Logins and Redirect Payments from Employees

ReliaQuest, hackers have deployed a cunning search engine optimization (SEO) poisoning scheme to orchestrate payroll fraud against a manufacturing sector customer.

This deceptive strategy involves crafting fake authentication portals that mirror legitimate organizational login pages, manipulating search engine results to rank these malicious sites at the top.

Unsuspecting employees, searching for payroll portals on mobile devices, are lured into surrendering their credentials, which attackers then exploit to infiltrate payroll systems and redirect paychecks to their own accounts.

– Advertisement –

This incident, linked to similar attacks observed in late 2024, signals a persistent and evolving campaign targeting organizations across industries.

Sophisticated SEO Poisoning Campaign

Delving into the technical intricacies, the attack leverages mobile-specific SEO manipulation, adjusting Google advertisement settings to prioritize malicious sites in mobile search results for keywords like “payroll” and “portal.”

When accessed from mobile devices often on unsecured guest Wi-Fi or outside corporate networks these sites redirect users to phishing pages mimicking Microsoft login portals, harvesting credentials via HTTP POST requests to attacker-controlled domains.

A standout tactic involves abusing the legitimate Pusher WebSocket service for real-time notifications of stolen credentials, using a specific application key to establish live connections, thus enabling rapid misuse before detection or password resets.

This approach bypasses traditional logging delays, rendering corporate security measures blind to off-network phishing on personal devices lacking enterprise-grade protection.

Real-Time Credential Theft

The attackers utilize compromised residential IP addresses and proxy networks, sourced from vulnerable home routers with outdated firmware or default credentials, to mask their activities and evade geographic-based security filters, further complicating detection by blending malicious traffic with legitimate residential patterns.

The attackers’ infiltration doesn’t stop at credential theft. Upon gaining access to payroll portals like SAP SuccessFactors, they alter direct deposit details from IP addresses tied to mobile providers and residential proxies, including those from telecommunications giants like AT&T.

According to the Report, Failed authentication attempts from a Russian IP hint at operational errors, while successful logins from varied residential IPs demonstrate a deliberate strategy to avoid suspicion.

This proxy usage, often involving botnets from exploited routers sold on criminal marketplaces for as low as $0.77 per gigabyte, underscores the low-cost, high-impact nature of such tools in cybercrime.

Organizations face significant risks from these tactics, as traditional security controls falter against off-network threats, potentially leading to financial losses, eroded employee trust, and regulatory penalties.

ReliaQuest recommends robust countermeasures, including multifactor authentication (MFA) with conditional access, employee education on secure portal access, real-time change alerts for payroll settings, and proactive monitoring for impersonating domains via tools like GreyMatter Digital Risk Protection.

Indicators of Compromise (IOCs)

Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!