Cybercriminals exploit search engines, mobile devices, and proxy networks to bypass security and siphon off employee salaries.
A recent investigation by cybersecurity firm ReliaQuest has uncovered a sophisticated payroll fraud campaign that begins with a seemingly harmless Google search and ends with stolen paychecks. By exploiting mobile devices, search engine optimization (SEO) tactics, and vulnerable home routers, attackers could steal employee credentials and redirect their salaries into criminal-controlled accounts.
It Started with a Search
The breach came to light after ReliaQuest detected unauthorized access to a customer’s SAP SuccessFactors portal, a human resources platform. Once inside, the attacker quietly altered an employee’s direct deposit settings, rerouting paychecks to an account under their control.
The big question: how did the attacker get in?
Early theories pointed to SEO poisoning, a tactic where attackers use search ads or optimize malicious content to appear in top search results. Although desktop testing initially turned up nothing suspicious, further investigation using mobile devices told a different story. When employees searched for the company’s name with keywords like “payroll” or “portal,” a malicious website appeared as the top result, most likely due to attacker-controlled ad campaigns targeted at mobile users.
By focusing on mobile devices, attackers gained two key advantages:
- Bypassed network protections: Employees’ mobile devices often use guest Wi-Fi or remain disconnected from corporate networks, dodging enterprise-grade web filtering that might have blocked the malicious site.
- Invisible to IT: Since access happened off-network and often after hours, security teams lacked the logs to trace the breach, leaving them blind to the compromise.
The Digital Doppelganger
Staff members who clicked the malicious link were sent to a WordPress site that behaved differently depending on the device. While the desktop version seemed empty, mobile users were redirected to a fake Microsoft login page, designed to harvest credentials.
Once stolen, the credentials were sent to an attacker-controlled server via an HTTP POST request, referencing a suspicious “xxx.php” file. This file appeared in two earlier incidents, which hints at a repeat offender.
In order to monitor the phishing site live, Pusher, an authentic real-time communication platform, was also used by the bad actor. The JavaScript code on the phishing site initiated a WebSocket connection with one identified attacker’s app key. This setup allowed hackers to receive live updates whenever credentials were typed in, giving them time to use stolen logins before they were revoked.
Infiltrating the Payroll System
Armed with stolen credentials, the attacker logged into the payroll system. Their first entry came from an AT&T IP address, after which they accessed internal files (specifically one instructing employees on updating direct deposit details. Shortly after, an authentication attempt from a Russian IP was blocked, likely a slip-up where the attacker forgot to use a proxy.
Future logins were more stealthy, coming from U.S.-based residential IPs like 142.196.199[.]253. Upon analysis, many IPs were tied to home routers from brands like ASUS and Pakedge, devices frequently targeted due to weak security settings or outdated firmware.
This tactic lets attackers masquerade as legitimate users, slipping past geographic or behavioral security filters and quietly rerouting paychecks via SAP SuccessFactors.
Proxy Networks: The Attacker’s Cloak
To stay hidden, the attackers relied on vast proxy networks powered by compromised home routers. By using these residential IP addresses, which appear legitimate and geographically appropriate, the attackers avoided raising suspicion.
These proxy services, often priced as low as $0.77 per gigabyte, are popular on cybercriminal marketplaces. Some, like those behind the infamous Anyproxy and 5socks botnets, have generated tens of millions in revenue. They allow cybercriminals to pay small fees to disguise their traffic and evade traditional detection methods.
A Critical Blind Spot
This attack highlights a critical blind spot in enterprise security: off-network mobile devices. Traditional security tools can’t see or stop the threat when employees access sensitive services from unsecured personal devices or networks.
Furthermore, attackers’ use of residential proxies, real-time credential monitoring, and brand impersonation makes detection and mitigation significantly harder. These methods allow them to blend into regular traffic and exploit organizational trust in familiar IPs and search platforms.
Response and Recommendations
To combat threats like this, ReliaQuest recommends the following steps for organizations:
- Educate employees to access portals through bookmarks or single sign-on (SSO), not search engines.
- Enforce multi-factor authentication (MFA) with additional protections like device certificates.
- Set up direct deposit alerts to notify employees of changes to their accounts.
- Use DRP tools to detect and take down impersonating domains quickly.
- Deploy automated response playbooks to terminate sessions, reset passwords, and block suspicious IPs in real-time.
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.