Cybercriminals Target Payroll and HR Platforms with Sophisticated Phishing Schemes
Discover how cybercriminals are impersonating payroll and HR platforms to steal sensitive information and funds, and learn about the advanced phishing techniques they employ.
TL;DR
Cybercriminals are employing advanced phishing techniques to impersonate payroll and HR platforms, aiming to steal sensitive information and funds. This article highlights a recent campaign targeting Deel, a payroll and HR company, and explains the sophisticated methods used to bypass security measures. The FBI has issued warnings about similar schemes, emphasizing the importance of vigilance and robust security practices.
Main Content
The relentless battle against online fraud continues to evolve, with security teams and malicious actors constantly adapting their tactics. The increasing sophistication of cyber attacks is blurring the lines between legitimate user behavior and impersonation attempts. A recent campaign exemplifies this trend, targeting payroll and payment platforms to steal credentials and commit wire fraud.
Our investigation began with a fraudulent search ad for Deel, a payroll and human resources company. Clicking on the ad directed employees and employers to a phishing website impersonating Deel. This phishing kit not only steals usernames and passwords but also circumvents two-factor authentication (2FA) using malicious code. The code manipulates sensitive profile data fields related to banking and payment information via a legitimate hosted web service called Pusher.
During our investigation, the FBI issued a public service announcement (PSA250424) warning about cybercriminals using search engine advertisements to impersonate legitimate websites. These attacks target payroll, unemployment programs, and health savings accounts to steal money through fraudulent wire transactions or redirect payments. The Google ad was quickly taken down, and we informed Deel and MessageBird (Pusher’s parent company) about the misuse of their platforms.
Search Results Ad Targets Deel
Deel, a US-based payroll and human resources company founded in 2019, offers solutions for managing a global workforce, including payroll, HR, and compliance. We first identified a malicious Google Search ad for Deel in mid-April for the keywords ‘deel login.’ The ad appeared just above the organic search result for Deel’s official website.
The URL in the ad (deel[.]za[.]com) uses the .ZA.COM subdomain, targeting South Africa. This URL acts as a redirect, allowing threat actors to use cloaking to redirect clicks to decoy websites or phishing domains.
Phishing Portal and 2FA
The first phishing domain we encountered was login-deel[.]app, which did not resolve initially. Later, the same Google ad URL pointed to a new domain, accuont-app-deel[.]cc. The phishing page mimicked Deel’s login page but disabled the ‘Log in using Google’ and ‘Continue with QR code’ options, leaving only the username and password fields for authentication.
After entering their credentials, victims were prompted to enter a security code sent to their email address. This social engineering tactic renders 2FA useless when victims authenticate into the wrong website.
Traffic Analysis
To understand how this phishing kit works, we recorded a network capture showing the web requests sent and received. This revealed several interesting components, including JavaScript libraries like pusher.min.js, Worker.js, and kel.js.
The phishing kit uses anti-debugging techniques to hide its malicious intent, making analysis more time-consuming.
Scripts Analysis
The pusher.min.js JavaScript file is a legitimate library from Pusher, a hosted web service using APIs and developer tools to manage connections between servers and clients via WebSockets. The kel.js and Worker.js files are used to authenticate victims into the real Deel website while communicating with the threat actor’s infrastructure to process credentials and receive the OTP code for 2FA.
WebSockets allow for full-duplex communication between a user’s browser and a server, enabling real-time data exchange. Here’s an example of a WebSocket communication where the user provided the wrong login credentials:
The conversation begins with a pusher:connection_established message, confirming a successful connection to the Pusher real-time service. The client then requests to listen for events on a specific channel, and the server acknowledges this request, allowing the client to receive real-time updates.
Additional Targets
This phishing kit is unique and can be tracked with the following characteristics:
- Obfuscator.io
- Pusher WebSockets
- Worker.js library
- kel.js/otp.js/auth.js/jquery.js library
We identified several other targets, including payroll, HR, billing, payment solutions, and the commerce platform Shopify. The earliest use of this phishing kit dates back to July 2024.
- Justworks: Payroll, benefits, HR, and compliance.
- Marqeta: End-to-end credit and payment solutions.
- Shopify: Commerce platform.
- OmniFlex (Worldpay): Online point of sale solution.
Conclusion
The FBI’s PSA highlights several key measures businesses can adopt to protect users:
- Domain Spoofing: Companies must proactively monitor for brand impersonation.
- Notifications: Victims should be alerted promptly through multiple channels.
- Education: Users need to be aware of sophisticated phishing tactics to protect themselves better.
While checking the URL to ensure a site’s authenticity before clicking on an advertisement is generally a sound practice, URLs within ads can also be spoofed. The discovery of this phishing kit reinforces a critical message: online security is a shared responsibility. Users must exercise caution and critical thinking in their online interactions while enhancing their security with available tools. Browser extensions like Malwarebytes Browser Guard can block ads and the scams or malware sites associated with these schemes.
We don’t just report on threats—we safeguard your entire digital identity.
Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.
Indicators of Compromise
Redirect
1
deel[.]za[.]com
Phishing Domains
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
login-deel[.]app
accuont-app-deel[.]cc
justvvokrs-login[.]cc
vye-starr[.]net
maqreta[.]com
ctelllo[.]com
angelistt[.]com
account[.]datedeath[.]com
account[.]turnkeycashsite[.]com
admin-shopffy[.]cc
biilll[.]com
app-parker[.]com
shluhify[.]com
login-biil[.]net
founderga[.]com
admin-shoopiffy[.]com
access-shupfify[.]com
virluaterminal[.]net
Worker.js (SHA256)
1
56755aaba6da17a9f398c3659237d365c52d7d8f0af9ea9ccde82c11d5cf063f
kel.js/otp.js/auth.js/jquery.js (SHA256)
1
2
3
4
5
6
7
8
9
10
11
12
72864bd09c09fe95360eda8951c5ea190fbb3d3ff4424837edf55452db9b36fb
6fb006ecc8b74e9e90d954fa139606b44098fc3305b68dcdf18c5b71a7b5e80f
908a128f47b7f34417053952020d8bbdacf3aed1a1fcf4981359e6217b7317c9
5dadc559f2fb3cff1588b262deb551f96ff4f4fc05cd3b32f065f535570629c3
0ef66087d8f23caf2c32cc43db010ffe66a1cd5977000077eda3a3ffce5fa65f
95d008f7f6f6f5e3a8e0961480f0f7a213fa7884b824950fe9fb9e40d918a164
3e4e78a3e1c6a336b17d8aed01489ab09425b60a761ff86f46ab08bfcf421eac
a37463862628876cecfc4f55c712f79a150cdc6ae3cf2491a39cc66dadcf81eb
15606c5cd0e536512a574c508bd8a4707aace9e980ab4016ce84acabed0ad3be
81bcf866bd94d723e50ce791cea61b291e1f120f3fc084dc28cbe087b6602573
1665387c632391e26e1606269fb3c4ddbdf30300fa3e84977b5974597c116871
c56e277fd98fc2c28f85566d658e28a19759963c72a0f94f82630d6365e62c4f
For more details, visit the full article: source