Summary:
Silent Push Threat Analysts have identified a malicious group dubbed “Payroll Pirates,” which is conducting sophisticated HR payroll redirection phishing scams targeting employees of high-profile organizations. The group employs tactics such as buying search ads for brand keywords to lead victims to phishing sites. Continuous monitoring and research are being conducted to mitigate the risks associated with this threat.
#PayrollPirates #PhishingScam #ThreatIntelligence
Silent Push Threat Analysts have identified a malicious group dubbed “Payroll Pirates,” which is conducting sophisticated HR payroll redirection phishing scams targeting employees of high-profile organizations. The group employs tactics such as buying search ads for brand keywords to lead victims to phishing sites. Continuous monitoring and research are being conducted to mitigate the risks associated with this threat.
#PayrollPirates #PhishingScam #ThreatIntelligence
Keypoints:
Threat actor group named “Payroll Pirates” targeting HR payroll redirection.
Utilizes search ads with brand keywords to promote phishing websites.
Employs website builders for rapid domain creation.
Targets high-profile organizations, primarily Workday customers.
Phishing sites often mimic the directory structure of legitimate corporate portals.
Threat actors have been observed changing banking information of victims.
Continuous monitoring and sharing of intelligence to protect organizations.
Silent Push offers dedicated feeds for tracking malicious domains and IPs.
MITRE Techniques:
Phishing (T1566): Utilizes deceptive emails and websites to trick users into providing sensitive information.
Search Engine Manipulation (T1491): Buys search ads to promote phishing sites at the top of search results.
Credential Dumping (T1003): Collects sensitive information such as social security numbers from underground forums.
Domain Generation Algorithm (T1483): Rapidly creates new domains for phishing campaigns.
Web Service Hosting (T1496): Hosts phishing content on legitimate web services to increase credibility.
IoC:
[domain] mentalroccehget[.]com
[domain] andandorconnect[.]com
[domain] guideulca[.]com
[domain] hrocneddiwserv[.]com
[domain] myhrkp[.]website
[domain] myidmlogin[.]world
[domain] myidmportal[.]site
[domain] mypayaramark[.]online
[ip address] 193.3.19[.]112
Mitigation:
Monitor for new domains associated with Payroll Pirates.
Utilize Silent Push IOFA Feeds to track potential attack domains and IPs.
Implement security measures to detect phishing attempts targeting employee portals.
Educate employees about recognizing phishing scams and suspicious communications.
Regularly update security protocols to adapt to emerging threats.
Full Research: https://www.silentpush.com/blog/payroll-pirates/?utm_source=rss&utm_medium=rss&utm_campaign=payroll-pirates