"Payroll Pirate, as Microsoft says the campaign has been dubbed, gains access to victims' HR portals by sending them phishing emails that trick the recipients into providing their credentials for logging in to the cloud account. The scammers are able to recover multi-factor authentication codes by using adversary-in-the-middle tactics, which work by sitting between the victims and the site they think they're logging in to, which is, in fact, a fake site operated by the attackers."
"Once inside the employees' accounts, the scammers make changes to payroll configurations within Workday. The changes cause direct-deposit payments to be diverted from accounts originally chosen by the employee and instead flow to an account controlled by the attackers. To block messages Workday automatically sends to users when such account details have been changed, the attackers create email rules that keep the messages from appearing in the inbox."
Attackers impersonate legitimate services and send realistic phishing emails to harvest employee credentials for cloud-based HR portals like Workday. Adversary-in-the-middle techniques are used to intercept multi-factor authentication codes by presenting a fake login site while relaying captured codes to the real site. After gaining access, attackers modify payroll configurations to redirect employees' direct-deposit payments into attacker-controlled bank accounts. Attackers create email rules to block automated Workday notifications about account changes, preventing victims from seeing alerts. Observed attacks targeted multiple universities, resulting in at least 11 compromised accounts that were used to send phishing to thousands of email accounts.
Read at Ars Technica
Unable to calculate read time
Collection
[
|
...
]