Payroll Pirates – Network of Criminal Groups Hijacking Payroll Systems

Cyber threats are changing how they reach victims. A financially motivated criminal network called Payroll Pirates has been quietly attacking payroll systems, credit unions, and trading platforms across the United States since mid-2023.

Their weapon of choice is malvertising, where fake ads appear on search engines and trick users into visiting phishing websites. Once employees enter their login details on these fake pages, attackers steal the information and redirect salary payments to their own bank accounts.

This organized operation has grown over time, targeting more than 200 different platforms and trapping over 500,000 users.

The campaign started with Google Ads that promoted fake payroll websites. When employees searched for their company’s HR portal, they saw these sponsored ads at the top of search results.

Clicking the ad took them to a phishing site that looked exactly like their real payroll login page. After entering usernames and passwords, the stolen credentials were sent directly to the attackers through hidden communication channels.

Check Point security researchers identified this network in May 2023 when they noticed multiple phishing sites copying payroll platforms.

The investigation revealed that different groups were working together, sharing the same attack tools and methods, but each had their own domains and ways of collecting stolen information.

By November 2023, the attacks stopped temporarily. However, in June 2024, the criminals returned with better tools. The new phishing pages could now defeat two-factor authentication by using Telegram bots that talked to victims in real time.

When a user entered their password, the bot would immediately ask for their verification code or security questions. The updated system also used redesigned backend scripts that made detection much harder.

Instead of obvious data collection points, the attackers now used hidden PHP scripts with simple names like xxx.php, check.php, and analytics.php to send stolen information without being noticed.

Real-Time Credential Theft Mechanism

The most dangerous part of this operation is how the attackers bypass security measures. When a victim lands on the fake login page and enters their credentials, the information is immediately sent to operators through a Telegram bot.

This bot acts as the control center for the entire network, handling two-factor authentication requests across all different types of targets including credit unions, payroll systems, healthcare benefits portals, and trading platforms.

The bot sends notifications to operators who then interact with victims by requesting one-time codes and security answers in real time.

This direct communication happens within seconds, making it almost impossible for victims to realize they are being scammed until it is too late.

The phishing kits use dynamic elements that change based on what security measures each target platform uses. Pages adapt automatically by loading different forms depending on whether the real website asks for security questions, email verification, or mobile authentication.

The backend scripts communicate silently with operators through encrypted channels, keeping all data collection hidden from network monitoring tools.

This makes the infrastructure nearly impossible to disrupt because there are no exposed endpoints that security teams can easily block or take down.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.