- Payroll Hackers Spoofed HR Platforms Via Ads to Steal Credentials and MFA Codes
- More than 200 platforms were targeted, affecting around half a million users
- Telegram bots enabled real-time phishing, infrastructure spanned Kazakhstan, Vietnam and hidden domains
Fraudsters have been spoofing payroll systems, credit unions and commerce platforms across the United States in an attempt to steal login credentials and multi-factor authentication (MFA) codes, experts have warned.
Cybersecurity researchers at Check Point have labeled the perpetrators “payroll hackers,” who use paid advertisements on popular networks such as Google or Bing to promote fake payroll and human resources portals.
When a victimized employee searched for their platform of choice (instead of just typing the address into the address bar), they saw the fake site promoted at the top. Those who unknowingly clicked the link and attempted to log in effectively relayed their credentials to the attackers.
Come back stronger
Over time, the operation targeted more than 200 platforms and attracted around half a million users, researchers say.
The campaign appeared to be inactive in late 2023, but returned in mid-2024 with improved phishing kits capable of bypassing two-factor authentication.
Operators used Telegram bots to interact with victims in real time, requesting one-time codes and other security responses. The kits’ backend has also been redesigned to hide data exfiltration paths, making the infrastructure much harder to detect or dismantle.
Since the group manages two major infrastructure clusters, Check Point estimated that these were several different campaigns.
One uses Google Ads and “white pages” redirects hosted in Kazakhstan and Vietnam, while the other relies on Bing Ads and old domains filtered through cloaking services. However, later investigation determined that it was all part of a single, unified network. The logs showed at least four administrators managing Telegram channels linked to different targets, such as payroll platforms, credit unions and health benefits portals.
They even discovered that one of the administrators was posting a video from Odessa, concluding that at least one of the operators was based in Ukraine. Payroll hackers remain active, constantly refining their tactics and targeting anyone whose paycheck is online, Check Point finally warned.
The best antivirus for every budget
Follow TechRadar on Google News And add us as your favorite source to get our news, reviews and expert opinions in your feeds. Make sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp Also.
