A recent cyberattack uncovered by ReliaQuest employs search engine optimization (SEO) poisoning to target employee mobile devices for payroll fraud. Disguised as legitimate login portals, attackers create deceptive websites that lead employees to enter credentials to access payroll systems. This method was first noted in May 2025 and is linked to prior incidents in 2024. By utilizing compromised infrastructure, the attackers evade security detection, enabling them to change direct deposit information and redirect paychecks to accounts under their control, posing significant risk to targeted organizations.
The attacker's infrastructure used compromised home office routers and mobile networks to mask their traffic, dodging detection and slipping past traditional security measures.
Armed with stolen credentials, the adversary gained access to the organization's payroll portal, changed direct deposit information, and redirected employees' paychecks into their own accounts.
Collection
[
|
...
]