Employee paychecks were rerouted using compromised credentials from a phishing campaign that leveraged search engine optimization (SEO) poisoning and proxy networks,
ReliaQuest reported Tuesday.
The attack targeted mobile devices and leveraged Google ads to appear at the top of Google search results when an employee searched for the payroll portal of the targeted company.
These sponsored links only appeared when searches were made on mobile devices, suggesting the attacker used Google Ad settings to run a
mobile-only campaign. The phishing page also only redirected to a fake log-in if the user was on a mobile device, but displayed “no meaningful content” when accessed from workstations, ReliaQuest noted.
This mobile-specific targeting makes it more difficult for companies to detect or even analyze the campaign, as mobile devices are less likely to be connected to the corporate network. Employees may also use their personal mobile devices to access their company human resources portal from home.
Employee robbed of credentials – and paycheck
When an employee searched for their company’s HR portal and clicked on the phishing link, they would have been met with a fake Microsoft log-in page designed to capture their credentials.
The credentials submitted by the employee were then used by the attacker to log in to the employee’s account on SAP SuccessFactor, which is the HR platform used by the victim company.
From this compromised account, the attacker changed the employee’s direct deposit details, rerouting the employee’s paycheck to their own bank account. These actions within SAP SuccessFactor were conducted from multiple different residential IP addresses that were linked back to home office routers from brands including ASUS and Pakedge.
These routers were likely part of a proxy network of compromised routers, as access to
compromised residential IP addresses is often sold in cybercrime circles for attackers to mask their own IP addresses and locations, ReliaQuest explained.
ReliaQuest noted one — likely accidental — login attempt from a Russian IP address, which was blocked by SAP SuccessFactor. A proxy network could enable the attacker to appear more local to the legitimate user and prevent the blocking of IP addresses tied to previous malicious campaigns.
The attacker also used a legitimate messaging service called Pusher to facilitate real-time monitoring of the phishing page and instant notification when credentials were submitted. This enabled the attacker to reuse the credentials quickly before they could be reset by the victim or company.
ReliaQuest noted this recent campaign was similar to previous campaigns detected in late 2024, suggesting ongoing attacks by the same threat actor and continued use of the same tactics, techniques and procedures (TTPs) described in the report.
How to protect your payroll
To avoid similar attacks, ReliaQuest recommended companies not rely solely on tools that protect corporate networks and endpoints, as the campaign takes advantage of the use of less protected mobile devices to access employee accounts.
Employees should be made aware of such campaigns and encouraged to bookmark their official company portal to avoid reliance on potentially poisoned web searches when attempting to access HR services.
Multifactor authentication (MFA) should be required to access payroll portals, preventing attackers from logging in with just a username/email and password. Conditional access policies and device-based certificates can also prevent access from residential proxies and thwart attacks that attempt to bypass MFA.
When possible, companies should set up alerts that notify employees when their direct deposit details have changed, giving them a chance to quickly respond if an unexpected change is made. Companies should also have clear policies and instructions for what employees should do if an unexpected change occurs.
Companies can also leverage proactive threat intelligence measures to identify impersonation sites and other phishing campaigns targeting their organization, enabling them to take action to block and report these sites and make employees aware of targeted campaigns.
