Hunting Payroll Pirates: Tracking HR Redirect Phishing Scam
Essential information
- Published
- 04/12/2024 10:14
- Modified
- 04/12/2024 10:23
- Tags
- 2024-12-04 hr scam phishing
- Related entities
- 69 observables, 1 intrusion sets (apt), 8 techniques (mitre), 4 others
Description
A malicious threat actor group dubbed 'Payroll Pirates' is orchestrating an ongoing human resources payroll redirection phishing scam targeting numerous organizations' employees. The campaign primarily focuses on Workday users and high-profile companies. The actors employ search ads with brand keywords to promote sponsored phishing websites, utilize website builders for rapid domain creation, and often host phishing content behind an /online directory. The group has targeted various organizations, including the California Employment Development Department, Kaiser Permanente, Macy's, New York Life, and Roche. The scammers use obtained credentials and social security numbers to access employee portals and redirect funds to fraudulent bank accounts. The campaign's infrastructure includes hundreds of domains, dedicated IP ranges, and tactical shifts in specific timeframes.