Impersonation of Payroll, HR, and Benefits Platforms by Cyber Criminals: A Growing Threat to Data and Financial Security

The ongoing struggle against online fraud is an ever-evolving challenge, characterized by a continuous adaptation between security teams and threat actors. The sophistication of these attacks increasingly blurs the distinction between legitimate user behavior and attempts at impersonation.

Recent investigations have unveiled a new phishing kit specifically targeting payroll and payment platforms, with the intent to compromise victims’ credentials and perpetrate wire fraud.

Our inquiry commenced with the discovery of a fraudulent advertisement on search engines promoting a payroll and HR services company. This ad directed users—both employees and employers—to a phishing site masquerading as the legitimate service.

In addition to capturing usernames and passwords while bypassing two-factor authentication (2FA), the phishing kit harbors malicious code that performs additional undetected actions. Utilizing an authenticated web worker, it employs a legitimate hosted web service to manipulate sensitive data fields pertaining to banking and payment information.

During this investigation, the FBI issued a public service announcement highlighting that cybercriminals are exploiting search engine advertisements to impersonate legitimate websites, extending their reach to payroll systems, unemployment programs, and health savings accounts with the objective of executing fraudulent financial transactions.

Prompt action led to the swift removal of the misleading advertisement from Google. Notifications have been sent to the targeted company and the parent organization of the web service being exploited.

The targeted company operates in the payroll and HR sector, designed to navigate the complexities of global workforce management. We initially identified a rogue advertisement linked to the keywords “deel login,” with the fraudulent link appearing above the genuine search result for the official site.

The fraudulent URL, employing a .ZA.COM subdomain, confuses users by redirecting them through cloaking mechanisms to decoy or phishing domains, allowing threat actors to alter destinations as needed.

The phishing domains used—first identified as “login-deel.app”—were subsequently redirected to new malicious sites. The phishing interface presented a near-exact replica of the legitimate login page but disabled critical options such as “Log in using Google” and “Continue with QR code,” leaving only the fields for traditional authentication.

Upon submission of their credentials, victims are manipulated into providing a security code received via email, effectively undermining the protective measures of 2FA when inputs are made on the deceptive site.

A detailed network capture during our analysis revealed several unique aspects of this phishing kit. Notably, it utilized specific JavaScript libraries and implemented anti-debugging techniques to thwart deeper code examination, a tactic deployed commonly to obscure malicious activities.

Further analysis of the files indicated different session management functions, explicitly related to banking operations. The kit incorporates a legitimate library to facilitate server-client interactions using technologies for real-time communications. This design allows the phishing kit to maintain an ongoing connection with the actors behind the attack for credential processing and to navigate 2FA requirements.

The phishing kit is distinguished by several features including:

– Usage of obfuscator tools
– Implementation of WebSockets for real-time data communication
– Functionality to manage session types linked to sensitive financial data

The phishing campaign indicated multiple other potential targets in the payroll, HR, billing, and payment sectors, extending even to commerce platforms. Its operational history suggests that it had previously gone undetected for an extended period.

Mitigation strategies against such threats include proactive monitoring for domain spoofing, swift user notifications, and comprehensive education on recognizing increasingly sophisticated phishing techniques. These measures are essential for safeguarding digital identities and ensuring that users maintain vigilance in digital interactions.

The refined approach to security requires a collective responsibility, necessitating both users’ cautious engagement and providers’ commitment to preventative measures. Utilizing security solutions can reinforce this defense, providing an extra layer of protection against such malicious tactics.

Indicators of Compromise:

Redirect:

deel.za.com

Phishing Domains:

login-deel.app
accuont-app-deel.cc
justvvokrs-login.cc
vye-starr.net
maqreta.com
ctelllo.com
angelistt.com
account.datedeath.com
account.turnkeycashsite.com
admin-shopffy.cc
biilll.com
app-parker.com
shluhify.com
login-biil.net
founderga.com
admin-shoopiffy.com
access-shupfify.com
virluaterminal.net

JavaScript File Hashes (SHA256):

Worker.js: 56755aaba6da17a9f398c3659237d365c52d7d8f0af9ea9ccde82c11d5cf063f
kel.js/otp.js/auth.js/jquery.js: 
72864bd09c09fe95360eda8951c5ea190fbb3d3ff4424837edf55452db9b36fb
6fb006ecc8b74e9e90d954fa139606b44098fc3305b68dcdf18c5b71a7b5e80f
908a128f47b7f34417053952020d8bbdacf3aed1a1fcf4981359e6217b7317c9
5dadc559f2fb3cff1588b262deb551f96ff4f4fc05cd3b32f065f535570629c3
0ef66087d8f23caf2c32cc43db010ffe66a1cd5977000077eda3a3ffce5fa65f
95d008f7f6f6f5e3a8e0961480f0f7a213fa7884b824950fe9fb9e40d918a164
3e4e78a3e1c6a336b17d8aed01489ab09425b60a761ff86f46ab08bfcf421eac
a37463862628876cecfc4f55c712f79a150cdc6ae3cf2491a39cc66dadcf81eb
15606c5cd0e536512a574c508bd8a4707aace9e980ab4016ce84acabed0ad3be
81bcf866bd94d723e50ce791cea61b291e1f120f3fc084dc28cbe087b6602573
1665387c632391e26e1606269fb3c4ddbdf30300fa3e84977b5974597c116871
c56e277fd98fc2c28f85566d658e28a19759963c72a0f94f82630d6365e62c4