Cyberbytes Daily

Beware Of New HR Payroll Phishing Attack Targeting Numerous Employees

Beware Of New HR Payroll Phishing Attack Targeting Numerous Employees

A sophisticated phishing campaign dubbed “Payroll Pirates” is currently targeting employees of various high-profile organizations.

While the targets include California Employment Development Department (EDD), Kaiser Permanente, Macy’s, New York Life, and Roche.

This ongoing malicious operation aims to carry out payroll redirects by exploiting human resources (HR) systems, particularly focusing on Workday users.

Besides this, cybersecurity researchers at Silent Push discovered that the threat actors employ a multi-faceted approach to lure unsuspecting victims:-

  1. Malicious Search Advertising: Sponsored phishing websites appear in Google search results.
  2. Spoofed HR Pages: Convincing replicas of legitimate HR portals are created to deceive employees.
  3. Credential Exploitation: Using additional information like social security numbers, likely obtained from underground forums, the scammers gain access to employee portal accounts.
  4. Fund Redirection: Once inside, they alter the victim’s banking information to divert funds to fraudulent accounts under their control.
Steps of Payroll Pirates (Source – Silent Push)

Free Webinar on Best Practices for API vulnerability & Penetration Testing:  Free Registration

Infrastructure and Tactics

The Payroll Pirates demonstrate a high level of sophistication in their operations:-

  • Website Builders: Utilize platforms like Leadpages, Mobirise, and Wix for rapid domain setup.
  • Dedicated IP Ranges: Employ new pools of infrastructure with tactical shifts aligned to specific timeframes.
  • Preferred Registrars: Host phishing content primarily on Dynadot, Porkbun, and Namecheap.
  • Custom Structures: In some cases, they create directory structures matching real HR portal layouts to increase credibility.

The campaign has been observed targeting various HR and payroll systems:-

  • Workday
  • BambooHR
  • Unemployment portals (like California EDD)
  • Company-specific HR portals (like Macy’s, Roche, Kaiser Permanente)

Silent Push Threat Analysts have identified hundreds of domains associated with this campaign.

Phishing Pages (Source – Silent Push)

The threat actors continually adapt their tactics, shifting from unemployment benefits scams to payroll phishing and updating their templates.

They have also been observed targeting financial institutions with similar phishing techniques.

Organizations and employees should remain vigilant and implement strong security measures:-

  • Verify the authenticity of HR-related communications and login pages.
  • Implement multi-factor authentication for HR and payroll systems.
  • Educate employees about the latest phishing tactics and red flags.
  • Regularly monitor for unauthorized changes to payroll information.

Apart from this, the ongoing monitoring and threat intelligence sharing within the security community remain crucial in combating this persistent threat to corporate payroll systems and employee financial security.

Analyse Real-World Malware & Phishing Attacks With ANY.RUN - Get up to 3 Free Licenses

The post Beware Of New HR Payroll Phishing Attack Targeting Numerous Employees appeared first on Cyber Security News.

Tags

About Author

Chad Barr

Chad Barr is a visionary and executive leader, blending over two decades of expertise with a unique ability to demystify complex technical concepts. As a cybersecurity leader, prolific author, and director at AccessIT Group, Chad has empowered organizations across diverse industries to build resilient security frameworks. His engaging writing, speaking engagements, and thought leadership inspire proactive cybersecurity practices, making him a trusted voice in the ever-evolving digital landscape.

My Books

Cybersecurity News

  • Hackers Actively Exploited Ivanti VPN 0-Day Vulnerability (CVE-2025-0282): Technical Analysis
    by Balaji N on January 9, 2025 at 4:52 am

    Ivanti publicly disclosed two critical vulnerabilities CVE-2025-0282 and CVE-2025-0283 affecting its Connect Secure (ICS) VPN appliances. The announcement comes amidst alarming reports of active zero-day exploitation of CVE-2025-0282, identified by cybersecurity firm Mandiant as having begun in mid-December 2024. The exploitation has raised concerns about potential network breaches and downstream compromises for affected organizations. CVE-2025-0282, The post Hackers Actively Exploited Ivanti VPN 0-Day Vulnerability (CVE-2025-0282): Technical Analysis appeared first on Cyber Security News.

  • Ivanti Flaw CVE-2025-0282 Actively Exploited, Impacts Connect Secure and Policy Secure
    by [email protected] (The Hacker News) on January 9, 2025 at 4:40 am

    Ivanti is warning that a critical security flaw impacting Ivanti Connect Secure, Policy Secure, and ZTA Gateways has come under active exploitation in the wild beginning mid-December 2024. The security vulnerability in question is CVE-2025-0282 (CVSS score: 9.0), a stack-based buffer overflow that affects Ivanti Connect Secure before version 22.7R2.5, Ivanti Policy Secure before version 22.7R1.2

  • Wireshark 4.4.3 Released – What’s New!
    by Guru Baran on January 9, 2025 at 2:51 am

    The Wireshark Foundation has announced the release of Wireshark 4.4.3, the latest version of the world’s most popular network protocol analyzer. This update brings a host of bug fixes and protocol support improvements, enhancing the tool’s capabilities for network troubleshooting, analysis, development, and education. What is Wireshark? Wireshark is a powerful, open-source network analysis tool The post Wireshark 4.4.3 Released – What’s New! appeared first on Cyber Security News.

  • Ivanti VPN Zero-Day Vulnerability Actively Exploited in the Wild
    by Guru Baran on January 9, 2025 at 2:27 am

    Ivanti has disclosed actively exploiting a critical zero-day vulnerability, CVE-2025-0282, in its Connect Secure VPN appliances. This vulnerability allows unauthenticated remote code execution and has already been exploited in a limited number of cases. A second vulnerability, CVE-2025-0283, which enables local privilege escalation, has also been identified but is not known to have been exploited. The post Ivanti VPN Zero-Day Vulnerability Actively Exploited in the Wild appeared first on Cyber Security News.

  • India Readies Overhauled National Data Privacy Rules
    by Nate Nelson, Contributing Writer on January 9, 2025 at 2:00 am

    The country awaits implementation guidelines for a framework that gives Indians greater autonomy and security over their personal data — and recognizes a right to personal privacy.

Latest Posts

Categories

Tags

AI AWS ChatGPT Credit Card Fraud Cybercriminals Cyber News Cyber Security Cybersecurity News Data Breach Digital Transformation Gen AI IoT Nation-State Ransomware Security Skimmer Malware Starbucks