- Payroll Pirates spoofed HR platforms via ads to steal credentials and MFA codes
- Over 200 platforms were targeted, affecting around half a million users
- Telegram bots enabled real-time phishing, infrastructure spanning Kazakhstan, Vietnam and obfuscated domains
Fraudsters have spoofed payroll systems, credit unions and trading platforms across the US in an attempt to steal login credentials and multi-factor authentication (MFA) codes, experts have warned.
Check Point cyber security researchers called the perpetrators ‘Payroll Pirates’, who use paid ads on popular networks such as Google or Bing to advertise fake payroll and HR portals.
When a victim employee searched for their preferred platform (instead of simply entering the address in the address bar), they would see the fake site promoted at the top. Those who unwittingly clicked the link and attempted to log in were effectively passing their credentials to the attackers.
Coming back stronger
Over time, the operation targeted more than 200 platforms and lured in an estimated half a million users, the researchers claim.
The campaign appeared to go dormant in late 2023, but returned in mid-2024 with upgraded phishing kits that could bypass two-factor authentication.
Operators used Telegram bots to interact with victims in real time, requesting one-time passwords and other security responses. The kit’s backend was also redesigned to hide data exfiltration paths, making the infrastructure much harder to detect or dismantle.
Since the group operates two large infrastructure clusters, Check Point believed these were several different campaigns.
One uses Google Ads and “white page” redirects hosted in Kazakhstan and Vietnam, while the other relies on Bing Ads and old domains filtered through cloaking services. However, subsequent investigation determined that this was all part of a single, unified network. Logs showed at least four administrators managing Telegram channels linked to various targets, such as payroll platforms, credit unions and healthcare portals.
They even found that one of the administrators posted a video from Odessa and concluded that at least one of the operators was based in Ukraine. Payroll Pirates remain active, constantly refining their tactics and targeting anyone whose paycheck moves online, Check Point eventually warned.
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds. Be sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, video unboxings, and get regular updates from us on WhatsApp also.
