216.73.216.133

Hunting Payroll Pirates: Tracking HR Redirect Phishing Scam

· Published 04/12/2024 10:14 · Modified 04/12/2024 10:23

Export JSON

Essential information

Published
04/12/2024 10:14
Modified
04/12/2024 10:23
Tags
2024-12-04 hr scam phishing
Related entities
69 observables, 1 intrusion sets (apt), 8 techniques (mitre), 4 others

Description

A malicious threat actor group dubbed 'Payroll Pirates' is orchestrating an ongoing human resources payroll redirection scam targeting numerous organizations' employees. The campaign primarily focuses on Workday users and high-profile companies. The actors employ search ads with brand keywords to promote sponsored websites, utilize website builders for rapid domain creation, and often host content behind an /online directory. The group has targeted various organizations, including the California Employment Development Department, Kaiser Permanente, Macy's, New York Life, and Roche. The scammers use obtained credentials and social security numbers to access employee portals and redirect funds to fraudulent bank accounts. The campaign's infrastructure includes hundreds of domains, dedicated IP ranges, and tactical shifts in specific timeframes.

External references