Full Report
Threat hunters have exposed a novel campaign that makes use of search engine optimization (SEO) poisoning techniques to target employee mobile devices and facilitate payroll fraud. The activity, first detected by ReliaQuest in May 2025 targeting an unnamed customer in the manufacturing sector, is characterized by the use of fake login pages to access the employee payroll portal and redirect
Analysis Summary
# Incident Report: SEO Poisoning and Mobile Device Targeting for Payroll Fraud
## Executive Summary
Threat hunters exposed a novel payroll fraud campaign leveraging SEO poisoning to trick employees into submitting credentials via fake mobile login pages. Attackers used compromised residential routers to mask traffic, gained access to the payroll portal, modified direct deposit information, and successfully redirected paychecks. The incident highlights the risk of targeting employee mobile devices due to lower security oversight outside the corporate network.
## Incident Details
- Discovery Date: May 2025
- Incident Date: Ongoing campaigns detected leading up to and during May 2025
- Affected Organization: Unnamed customer (Single organization detailed)
- Sector: Manufacturing
- Geography: Not explicitly disclosed (Implied US-based target based on payroll focus)
## Timeline of Events
### Initial Access
- Date/Time: Not explicitly defined, but occurs after an employee searches for their payroll portal.
- Vector: SEO Poisoning leading to credential harvesting via phishing.
- Details: Employees searching for their payroll portal are presented with deceptive, sponsored links leading to lookalike websites.
### Lateral Movement
- Date/Time: Immediately following successful credential entry.
- Vector: Credential reuse on the corporate payroll portal.
- Details: Attackers used stolen credentials to access the payroll system, change direct deposit information, and then exfiltrated the change authorization.
### Data Exfiltration/Impact
- Date/Time: Concurrent with credential theft and payroll update.
- Vector: Exfiltration of credentials and redirection of funds.
- Details: Stolen credentials were sent to an attacker-controlled website, alongside establishing a WebSocket connection to push exploit notifications (via Pusher API) so the actor could immediately reuse the password. The ultimate impact was the redirection of employee paychecks.
### Detection & Response
- Date/Time: May 2025 (Detection by ReliaQuest).
- Vector: Threat hunting analysis.
- Details: ReliaQuest detected the activity after the fact. The investigation noted high difficulty in analysis because targeting mobile devices reduced visibility and prevented automated scanning of the phishing site for IOC submission.
## Attack Methodology
- Initial Access: SEO poisoning directing users to a WordPress site that redirects to a mobile-specific phishing page mimicking a Microsoft login portal.
- Persistence: Not explicitly detailed, but immediate credential reuse suggests they did not rely on long-term persistence within the core network infrastructure but on maintaining access long enough to alter payroll data.
- Privilege Escalation: None explicitly noted beyond gaining access via stolen credentials to the privileged payroll portal.
- Defense Evasion: Exploiting the lack of enterprise-grade security on employee mobile devices; using compromised residential routers/proxy botnets to mask traffic origin as legitimate home/mobile IPs, bypassing geographical flagging.
- Credential Access: Harvesting credentials entered on the fake Microsoft login page.
- Discovery: Minimal internal discovery evident; the attack relied on employee-initiated searches.
- Lateral Movement: Movement occurred within the target environment from the initial compromised endpoint (mobile device) to the payroll portal using stolen credentials.
- Collection: Exfiltration of stolen credentials to attacker infrastructure.
- Exfiltration: Credentials exfiltrated via standard web traffic; final objective was the exfiltration of payroll funds.
- Impact: Financial fraud via payroll redirection.
## Impact Assessment
- Financial: Direct loss due to redirected paychecks. (Specific amount not disclosed).
- Data Breach: Employee login credentials for the payroll system.
- Operational: Disrupted payroll process for affected employees; hampered investigation due to mobile targeting and proxy use.
- Reputational: Potential reputational damage associated with payroll security failures.
## Indicators of Compromise
- Network indicators: Traffic originating from compromised residential IP addresses (ASUS/Pakedge routers recruited into proxy botnets).
- File indicators: Malicious WordPress site content leading to mobile phishing.
- Behavioral indicators: Use of Pusher WebSocket API for immediate notification of successful credential theft.
## Response Actions
- Containment measures: Not explicitly detailed, but likely involved network isolation of affected endpoints and rapid password resets.
- Eradication steps: Not detailed, though removing the initial phishing infrastructure would be required.
- Recovery actions: Reversing fraudulent payroll transfers and restoring correct direct deposit information.
## Lessons Learned
- Mobile devices present a significant blind spot for enterprise security teams due to reduced oversight and security tooling compared to desktops.
- The technique effectively leveraged residential IP addresses via proxy botnets to defeat location-based security checks.
- Failure to analyze phishing infrastructure immediately (due to targeting mobile) prevented timely addition of IOCs to threat feeds.
- SEO poisoning is an increasingly effective non-traditional vector for targeted phishing operations.
## Recommendations
- Implement multi-factor authentication (MFA) requirements for all access to critical systems, especially payroll, even when accessed from residential/mobile connections.
- Increase security monitoring and logging visibility for employee mobile device connections when accessing corporate resources.
- Deploy network security solutions capable of detecting traffic patterns associated with proxy use, even when originating from seemingly legitimate residential IPs.
- Educate employees specifically on verifying the legitimacy of search engine results (sponsored links) when accessing sensitive internal services.