Full Report
Unit 42 breaks down a payroll attack fueled by social engineering. Learn how the breach happened and how to protect your organization from similar threats. The post Anatomy of an Attack: The Payroll Pirates and the Power of Social Engineering appeared first on Unit 42.
Analysis Summary
# Incident Report: The Payroll Pirates Social Engineering Attack
## Executive Summary
A sophisticated threat actor utilized social engineering and SMS phishing (smishing) to bypass multi-factor authentication (MFA) and gain unauthorized access to a corporate environment. The attackers successfully redirected employee payroll direct deposits to fraudulent accounts and harvested sensitive HR data. The incident highlights the vulnerability of human-centric security controls when faced with persistent social engineering.
## Incident Details
- **Discovery Date:** Not explicitly disclosed
- **Incident Date:** Q1 2024 (Active campaign period)
- **Affected Organization:** Not disclosed (Case study from Unit 42)
- **Sector:** Diversified (primarily targeting HR and Finance functions)
- **Geography:** Global / North America
## Timeline of Events
### Initial Access
- **Vector:** SMS Phishing (Smishing) and Social Engineering
- **Details:** The attacker sent text messages to employees posing as the IT department, claiming an urgent security update was required. This linked to a credential harvesting site that mimicked the corporate SSO provider.
### Lateral Movement
- **Movement:** Once credentials were stolen, the attacker initiated an MFA prompt. The attacker then called the employee, posing as IT support, to "guide" them through the login process, effectively tricking the user into approving the MFA push notification.
### Data Exfiltration/Impact
- After gaining access to the HR management system (HRIS), the attacker modified banking details for high-salary employees.
- The attacker remained in the system to monitor payroll cycles, ensuring redirections occurred during the next pay period.
### Detection & Response
- **Discovery:** Discovered when employees reported missing payroll payments and IT noticed anomalous logins from non-standard IP addresses/locations.
- **Response Actions:** Immediate revocation of compromised sessions and forced password resets for affected users.
## Attack Methodology
- **Initial Access:** Smishing (SMS Phishing) leading to a proxy-based phishing site (AiTM).
- **Persistence:** Maintaining active sessions in the HRIS portal and modifying secondary contact information.
- **Privilege Escalation:** Not required; administrative access to user-level HR portal was sufficient for the objective.
- **Defense Evasion:** Use of residential proxy services to make login attempts appear local to the victim's geography.
- **Credential Access:** Credential harvesting via look-alike domains.
- **Discovery:** Mapping the internal HR portal and identifying the "Direct Deposit" settings.
- **Lateral Movement:** Not the primary focus; the attack remained focused on identity-based web application access.
- **Collection:** Gathering PII and banking information from the HRIS.
- **Exfiltration:** Modifying database entries for payroll redirection.
- **Impact:** Financial theft and exposure of PII.
## Impact Assessment
- **Financial:** Significant loss of funds due to redirected payroll deposits; costs associated with incident response.
- **Data Breach:** Compromise of Employee PII (Social Security Numbers, addresses, banking details).
- **Operational:** Disruption of the payroll department and necessity for manual audits of all employee accounts.
- **Reputational:** Loss of employee trust in corporate internal security measures.
## Indicators of Compromise
- **Network indicators:**
- `hxxps[:]//okta-verify-cloud[.]com`
- `hxxps[:]//corporate-sso-portal[.]net`
- Logins from known commercial VPNs or residential proxy ranges.
- **Behavioral indicators:**
- Multiple MFA push notifications sent in rapid succession.
- HRIS profile changes occurring shortly after an MFA challenge.
- Users changing direct deposit info 24-48 hours before payroll processing.
## Response Actions
- **Containment:** Disabled all compromised accounts and blocked identified malicious domains at the DNS level.
- **Eradication:** Removed fraudulent banking information and reverted HR portal settings.
- **Recovery:** Reimbursement of employees and implementation of "out-of-band" verification for all banking changes.
## Lessons Learned
- **MFA is not a silver bullet:** Social engineering (MFA fatigue or voice phishing) can bypass technical controls.
- **Process Over Technology:** Banking changes should require a secondary approval or a "cooling off" period where notifications are sent via multiple channels (email and SMS).
- **Visibility Gaps:** Lack of monitoring for changes in sensitive HR fields allowed the attacker to remain undetected until the payroll date.
## Recommendations
- **Transition to FIDO2/Passkeys:** Implement hardware-based MFA (like YubiKeys) to prevent AiTM and smishing successfulness.
- **Security Awareness Training:** Conduct specialized "vishing" (voice phishing) and "smishing" simulations focused on IT support scenarios.
- **Conditional Access:** Restrict HRIS access to known corporate IP ranges or compliant managed devices.
- **Audit Logging:** Implement real-time alerts for any change made to direct deposit information within 72 hours of a payroll run.