A new wave of cyberattacks is exploiting mobile device users with fake login pages designed to steal payroll credentials and reroute employee salaries. This method, known as SEO poisoning, manipulates search results to direct victims to malicious sites disguised as company payroll portals.
According to researchers at ReliaQuest, attackers are primarily targeting the manufacturing sector and taking advantage of employees searching for payroll access on mobile devices.
How the Attack Works
The attack begins when employees search for terms like “[Company Name] payroll portal.” Hackers have set up fraudulent websites that rank high in search engine results for these keywords.
When clicked, these links lead to fake login pages that appear identical to the company’s real portals. Users unknowingly submit their credentials, which are instantly harvested by attackers.
The phishing sites are optimized for mobile users, often bypassing traditional corporate protections like secure networks and content filters. Mobile devices using guest Wi-Fi or cellular data are especially vulnerable.
Rapid Exploitation and Salary Theft
Once login credentials are stolen, attackers quickly access the company’s payroll systems, such as SAP SuccessFactors, and change direct deposit information to accounts they control.
This allows them to intercept employee paychecks, causing financial losses and damaging employee trust. Organizations may also face regulatory consequences for failing to protect personal data.
Stealthy Infrastructure and Routing
To stay hidden, attackers use compromised home office routers and mobile networks. These include residential IPs from brands like ASUS and Pakedge, which make the activity appear legitimate and avoid detection based on geolocation.
In one case, an attacker briefly exposed their real location through a Russian IP address (188.143.232.224) before switching back to a proxy network of infected home devices.
Technical Details of the Attack
When users visit the fake sites, desktop visitors see a benign WordPress page, but mobile users are redirected to a fake Microsoft login page designed to collect credentials.
The phishing system uses Pusher, a real-time communication platform, to send alerts via WebSockets as soon as credentials are entered. This lets attackers act quickly, often before the breach is detected.
The malicious JavaScript file, named analytics.js, includes the following code snippet:
ess: function (_Oxfec991) {
pusher = new Pusher("24b4d4cd17db28a86437", {
cluster: "ap2"
Using WebSockets rather than standard HTTP requests helps the attackers evade network security systems that monitor outbound traffic.
Recommendations for Protection
Security experts advise organizations to take the following steps to mitigate risks:
- Enable multi-factor authentication (MFA) for all payroll systems
- Set up alerts for direct deposit changes
- Educate employees to access payroll portals only through verified corporate links or single sign-on (SSO) tools
This attack underscores the importance of extending enterprise security controls to cover mobile devices and preventing exposure via unmonitored internet searches.
