- Payroll hackers have tricked HR platforms through ads to steal credentials and MFA codes.
- More than 200 platforms were attacked, affecting around half a million users.
- Telegram bots enabled real-time phishing, infrastructure spread across Kazakhstan, Vietnam and hidden domains
Experts have warned that fraudsters in the US have been spoofing payroll systems, credit unions and trading platforms to steal login details and multi-factor authentication (MFA) codes.
Cybersecurity researchers at Check Point named the perpetratorsPirate salary“which promotes fake salary and HR portals with paid ads on popular networks like Google or Bing.
When a victim employee searched for their preferred platform (instead of just typing the address into the address bar), they saw the fake website promoted at the top. Those who unknowingly clicked on the link and tried to log in actually gave their credentials to the attackers.
Come back stronger
Over time, the business targeted more than 200 platforms and attracted about half a million users, researchers say.
The campaign appeared inactive in late 2023, but returned in mid-2024 with updated phishing kits that could bypass two-factor authentication.
The operators used Telegram bots to communicate with victims in real time and request unique codes and other security responses. The back of the kit has also been redesigned to hide data exfiltration paths, making it much more difficult to detect or dismantle the infrastructure.
Because the group runs two large infrastructure groups, Check Point assumed they were different campaigns.
One uses Google Ads and redirects to white pages located in Kazakhstan and Vietnam, while the other relies on Bing Ads and legacy domains filtered by cloaking services. However, further investigation revealed that it was all part of a single unified network. The data showed that at least four administrators managed Telegram channels linked to various destinations, such as payroll platforms, credit unions and health benefits portals.
They also discovered that one of the administrators posted a video from Odessa that concluded that at least one of the operators was based in Ukraine. Payroll hackers remain active, constantly refining their tactics and targeting anyone with an online paycheck, Check Point ultimately warned.