Hunting Payroll Pirates: Tracking HR Redirect Phishing Scam

Dec. 4, 2024, 10:23 a.m.

Description

A malicious threat actor group dubbed 'Payroll Pirates' is orchestrating an ongoing human resources payroll redirection phishing scam targeting numerous organizations' employees. The campaign primarily focuses on Workday users and high-profile companies. The actors employ search ads with brand keywords to promote sponsored phishing websites, utilize website builders for rapid domain creation, and often host phishing content behind an /online directory. The group has targeted various organizations, including the California Employment Development Department, Kaiser Permanente, Macy's, New York Life, and Roche. The scammers use obtained credentials and social security numbers to access employee portals and redirect funds to fraudulent bank accounts. The campaign's infrastructure includes hundreds of domains, dedicated IP ranges, and tactical shifts in specific timeframes.

External References

https://www.silentpush.com/blog/payroll-pirates
https://otx.alienvault.com/pulse/67502b73106440f9297c1757
Tags
phishing
2024-12-04
hr scam

Date

  • Created: Dec. 4, 2024, 10:14 a.m.
  • Published: Dec. 4, 2024, 10:14 a.m.
  • Modified: Dec. 4, 2024, 10:23 a.m.

Indicators

  • myhrkp.website
  • employeehrconnectest.website
  • bambochoop.website
  • 193.3.19.112
  • uvctaxsnat.com
  • utaxwust.com
  • unemplick.com
  • myrocshe.com
  • ulmasaabenefittoday.com
  • mynewyorklgbsonline.org
  • mypayararis.top
  • mypayaramark.online
  • myinfominkogrerstat.com
  • myinstitehr.com
  • myinvitynyl.com
  • myidmportal.site
  • myidmlogin.world
  • mygbsnuyinow.com
  • myescrochjesikurl.com
  • myemployeeconnectiones.site
  • myaramapayregh.online
  • myaldihr.space
  • myaccesspayemplust.online
  • mentalroccehget.com
  • marriottcsi.com
  • mapayempluhcmsr.site
  • macyinsidehr.com
  • kpemployee.online
  • kixaccessrohce.com
  • kaperollsitegh.info
  • joblessconnect.net
  • infokroger.com
  • ineedtobeconnected.com
  • hrocneddiwserv.com
  • hraccesskalser.com
  • homedepotwithease.com
  • guideulca.com
  • feegkrigers.com
  • feedaccountmacruker.com
  • fcpsmunisemployeeconectst.online
  • expopersonview.com
  • esspayroll.top
  • essmyykroogeerinfo.com
  • essmyaccounkrugser.com
  • essecroggeed.com
  • employeeselfhubs.com
  • employeeportallog.shop
  • employeeportallog.click
  • employeeconnectdc.top
  • employeeconnest.site
  • employeeconnectdc.shop
  • employeeconnectdc.one
  • datsmabfonli.org
  • emplhfxportales.online
  • consumerbenefithelp.com
  • claimmassachusetsa.com
  • claimantcoremacca.com
  • ccokrootit.com
  • benefitify.me
  • basabamoon.life
  • bambookjo.world
  • apulyhcmplugaph.online
  • andandorconnect.com
  • ampliploysment.online
  • aldyemployeepwt.site
  • aldiwebresoresetcpayls.online
  • aldihelpemployees.info
  • aldiemployeeportales.site
  • ajtxloginpage.com
Download all indicators here!

Attack Patterns

  • Payroll Pirates

Additional Informations

  • Retail
  • Healthcare
  • Finance
  • Government