The ongoing struggle against online fraud is an ever-evolving challenge, characterized by a continuous adaptation between security teams and threat actors. The sophistication of these attacks increasingly blurs the distinction between legitimate user behavior and attempts at impersonation.<\/p>\n
Recent investigations have unveiled a new phishing kit specifically targeting payroll and payment platforms, with the intent to compromise victims\u2019 credentials and perpetrate wire fraud.<\/p>\n
Our inquiry commenced with the discovery of a fraudulent advertisement on search engines promoting a payroll and HR services company. This ad directed users\u2014both employees and employers\u2014to a phishing site masquerading as the legitimate service.<\/p>\n
In addition to capturing usernames and passwords while bypassing two-factor authentication (2FA), the phishing kit harbors malicious code that performs additional undetected actions. Utilizing an authenticated web worker, it employs a legitimate hosted web service to manipulate sensitive data fields pertaining to banking and payment information.<\/p>\n
During this investigation, the FBI issued a public service announcement highlighting that cybercriminals are exploiting search engine advertisements to impersonate legitimate websites, extending their reach to payroll systems, unemployment programs, and health savings accounts with the objective of executing fraudulent financial transactions.<\/p>\n
Prompt action led to the swift removal of the misleading advertisement from Google. Notifications have been sent to the targeted company and the parent organization of the web service being exploited.<\/p>\n
The targeted company operates in the payroll and HR sector, designed to navigate the complexities of global workforce management. We initially identified a rogue advertisement linked to the keywords “deel login,” with the fraudulent link appearing above the genuine search result for the official site.<\/p>\n
The fraudulent URL, employing a .ZA.COM subdomain, confuses users by redirecting them through cloaking mechanisms to decoy or phishing domains, allowing threat actors to alter destinations as needed.<\/p>\n
The phishing domains used\u2014first identified as “login-deel.app”\u2014were subsequently redirected to new malicious sites. The phishing interface presented a near-exact replica of the legitimate login page but disabled critical options such as “Log in using Google” and “Continue with QR code,” leaving only the fields for traditional authentication.<\/p>\n
Upon submission of their credentials, victims are manipulated into providing a security code received via email, effectively undermining the protective measures of 2FA when inputs are made on the deceptive site.<\/p>\n
A detailed network capture during our analysis revealed several unique aspects of this phishing kit. Notably, it utilized specific JavaScript libraries and implemented anti-debugging techniques to thwart deeper code examination, a tactic deployed commonly to obscure malicious activities.<\/p>\n
Further analysis of the files indicated different session management functions, explicitly related to banking operations. The kit incorporates a legitimate library to facilitate server-client interactions using technologies for real-time communications. This design allows the phishing kit to maintain an ongoing connection with the actors behind the attack for credential processing and to navigate 2FA requirements.<\/p>\n
The phishing kit is distinguished by several features including:<\/p>\n
– Usage of obfuscator tools
\n– Implementation of WebSockets for real-time data communication
\n– Functionality to manage session types linked to sensitive financial data<\/p>\n
The phishing campaign indicated multiple other potential targets in the payroll, HR, billing, and payment sectors, extending even to commerce platforms. Its operational history suggests that it had previously gone undetected for an extended period.<\/p>\n
Mitigation strategies against such threats include proactive monitoring for domain spoofing, swift user notifications, and comprehensive education on recognizing increasingly sophisticated phishing techniques. These measures are essential for safeguarding digital identities and ensuring that users maintain vigilance in digital interactions.<\/p>\n
The refined approach to security requires a collective responsibility, necessitating both users’ cautious engagement and providers\u2019 commitment to preventative measures. Utilizing security solutions can reinforce this defense, providing an extra layer of protection against such malicious tactics.<\/p>\n
Indicators of Compromise:<\/strong><\/p>\n Redirect:<\/p>\n Phishing Domains:<\/p>\n JavaScript File Hashes (SHA256):<\/p>\n The ongoing struggle against online fraud is an ever-evolving challenge, characterized by a continuous adaptation between security teams and threat…<\/p>\n","protected":false},"author":1,"featured_media":673,"comment_status":"open","ping_status":"closed","sticky":false,"template":"Default","format":"standard","meta":{"inline_featured_image":false,"footnotes":""},"categories":[28],"tags":[73,89,77],"class_list":["post-672","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-blog","tag-cybersecurity","tag-fraud","tag-phishing"],"acf":[],"yoast_head":"\n\ndeel.za.com\n<\/code><\/pre>\n\nlogin-deel.app\naccuont-app-deel.cc\njustvvokrs-login.cc\nvye-starr.net\nmaqreta.com\nctelllo.com\nangelistt.com\naccount.datedeath.com\naccount.turnkeycashsite.com\nadmin-shopffy.cc\nbiilll.com\napp-parker.com\nshluhify.com\nlogin-biil.net\nfounderga.com\nadmin-shoopiffy.com\naccess-shupfify.com\nvirluaterminal.net\n<\/code><\/pre>\n\nWorker.js: 56755aaba6da17a9f398c3659237d365c52d7d8f0af9ea9ccde82c11d5cf063f\nkel.js\/otp.js\/auth.js\/jquery.js: \n72864bd09c09fe95360eda8951c5ea190fbb3d3ff4424837edf55452db9b36fb\n6fb006ecc8b74e9e90d954fa139606b44098fc3305b68dcdf18c5b71a7b5e80f\n908a128f47b7f34417053952020d8bbdacf3aed1a1fcf4981359e6217b7317c9\n5dadc559f2fb3cff1588b262deb551f96ff4f4fc05cd3b32f065f535570629c3\n0ef66087d8f23caf2c32cc43db010ffe66a1cd5977000077eda3a3ffce5fa65f\n95d008f7f6f6f5e3a8e0961480f0f7a213fa7884b824950fe9fb9e40d918a164\n3e4e78a3e1c6a336b17d8aed01489ab09425b60a761ff86f46ab08bfcf421eac\na37463862628876cecfc4f55c712f79a150cdc6ae3cf2491a39cc66dadcf81eb\n15606c5cd0e536512a574c508bd8a4707aace9e980ab4016ce84acabed0ad3be\n81bcf866bd94d723e50ce791cea61b291e1f120f3fc084dc28cbe087b6602573\n1665387c632391e26e1606269fb3c4ddbdf30300fa3e84977b5974597c116871\nc56e277fd98fc2c28f85566d658e28a19759963c72a0f94f82630d6365e62c4\n<\/code><\/pre>\n","protected":false},"excerpt":{"rendered":"