- Payroll Pirates Spoofed HR Platforms Through Ads to Steal Credentials and MFA Codes
- More than 200 platforms were attacked, affecting around half a million users.
- Telegram bots enabled real-time phishing, infrastructure spanned Kazakhstan, Vietnam, and covert domains
Experts have warned that scammers have been spoofing payroll systems, credit unions and trading platforms across the United States in an attempt to steal login credentials and multi-factor authentication (MFA) codes.
Check Point cybersecurity researchers dubbed the perpetrators “payroll hackers,” who use paid ads on popular networks like Google or Bing to advertise counterfeit HR and payroll portals.
When a victim employee searched for the platform of their choice (instead of simply typing the address into the address bar), they would see the fake site promoted at the top. Those who unknowingly clicked on the link and attempted to log in effectively transmitted their credentials to the attackers.
Coming back stronger
Over time, the operation targeted more than 200 platforms and attracted approximately half a million users, researchers say.
The campaign appeared to go dormant in late 2023, but returned in mid-2024 with improved phishing kits capable of bypassing two-factor authentication.
The operators used Telegram bots to interact with victims in real time, requesting one-time codes and other security responses. The backend of the kits was also redesigned to hide data exfiltration paths, making the infrastructure much more difficult to detect or dismantle.
Since the group manages two large infrastructure groups, Check Point believed these were several different campaigns.
One uses Google Ads and “white pages” redirects hosted in Kazakhstan and Vietnam, while the other relies on Bing Ads and old domains leaked through cloaking services. However, further investigation determined that this was all part of a single, unified network. The records showed at least four administrators managing Telegram channels linked to different targets, such as payroll platforms, credit unions, and healthcare benefits portals.
They even found one of the administrators posting a video from Odessa, concluding that at least one of the operators was based in Ukraine. Payroll hackers remain active, constantly refining their tactics and targeting anyone whose paycheck moves online, Check Point finally warned.
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds. Be sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp also.
