Hunting Payroll Pirates: Tracking HR Redirect Phishing Scam
Dec. 4, 2024, 10:23 a.m.
Tags
External References
Description
A malicious threat actor group dubbed 'Payroll Pirates' is orchestrating an ongoing human resources payroll redirection phishing scam targeting numerous organizations' employees. The campaign primarily focuses on Workday users and high-profile companies. The actors employ search ads with brand keywords to promote sponsored phishing websites, utilize website builders for rapid domain creation, and often host phishing content behind an /online directory. The group has targeted various organizations, including the California Employment Development Department, Kaiser Permanente, Macy's, New York Life, and Roche. The scammers use obtained credentials and social security numbers to access employee portals and redirect funds to fraudulent bank accounts. The campaign's infrastructure includes hundreds of domains, dedicated IP ranges, and tactical shifts in specific timeframes.
Date
Published: Dec. 4, 2024, 10:14 a.m.
Created: Dec. 4, 2024, 10:14 a.m.
Modified: Dec. 4, 2024, 10:23 a.m.
Indicators
myhrkp.website
employeehrconnectest.website
bambochoop.website
193.3.19.112
uvctaxsnat.com
utaxwust.com
unemplick.com
myrocshe.com
ulmasaabenefittoday.com
mynewyorklgbsonline.org
mypayararis.top
mypayaramark.online
myinfominkogrerstat.com
myinstitehr.com
myinvitynyl.com
myidmportal.site
myidmlogin.world
mygbsnuyinow.com
myescrochjesikurl.com
myemployeeconnectiones.site
myaramapayregh.online
myaldihr.space
myaccesspayemplust.online
mentalroccehget.com
marriottcsi.com
mapayempluhcmsr.site
macyinsidehr.com
kpemployee.online
kixaccessrohce.com
kaperollsitegh.info
joblessconnect.net
infokroger.com
ineedtobeconnected.com
hrocneddiwserv.com
hraccesskalser.com
homedepotwithease.com
guideulca.com
feegkrigers.com
feedaccountmacruker.com
fcpsmunisemployeeconectst.online
expopersonview.com
esspayroll.top
essmyykroogeerinfo.com
essmyaccounkrugser.com
essecroggeed.com
employeeselfhubs.com
employeeportallog.shop
employeeportallog.click
employeeconnectdc.top
employeeconnest.site
employeeconnectdc.shop
employeeconnectdc.one
datsmabfonli.org
emplhfxportales.online
consumerbenefithelp.com
claimmassachusetsa.com
claimantcoremacca.com
ccokrootit.com
benefitify.me
basabamoon.life
bambookjo.world
apulyhcmplugaph.online
andandorconnect.com
ampliploysment.online
aldyemployeepwt.site
aldiwebresoresetcpayls.online
aldihelpemployees.info
aldiemployeeportales.site
ajtxloginpage.com
Attack Patterns
Payroll Pirates
T1608.004
T1583.001
T1585.002
T1587.001
T1586
T1589.002
T1584
T1566
Additional Informations
Retail
Healthcare
Finance
Government