ReliaQuest uncovered a sophisticated SEO poisoning attack targeting employee mobile devices to steal credentials and reroute payroll deposits. The attackers used compromised home routers and mobile networks to mask their activity, evading detection and causing significant financial and reputational risks. #SEOpoisoning #PayrollFraud #MobileSecurity #ReliaQuest
Keypoints
- The attack utilized SEO poisoning by creating fake login portals that ranked highly on mobile search results, tricking employees into submitting payroll credentials.
- Credential harvesting targeted mobile devices connected to unsecured networks, bypassing corporate security controls and logging.
- The attackers used the legitimate Pusher service over WebSocket for real-time credential theft notifications, enabling rapid reuse of stolen credentials.
- Compromised home routers with vulnerable firmware acted as proxy networks, masking attacker IP addresses to evade detection.
- The attackers accessed SAP SuccessFactors payroll portals, altering direct deposit information to divert employees’ paychecks.
- ReliaQuest emphasizes implementing multifactor authentication (MFA), conditional access policies, employee education, and digital risk protection to mitigate such threats.
- Detection and response capabilities, including agentic AI and automated playbooks, were recommended to contain and stop attacks quickly.
MITRE Techniques
- [T1598] Search Engine Poisoning – Attackers manipulated Google advertisement settings and creation of fake portals to appear as top mobile search results, deceiving users into submitting credentials (‘…the attacker’s website appeared as the top search result…’).
- [T1566] Phishing – Fake Microsoft login portal was used on mobile devices to steal payroll credentials (‘…redirected to a phishing page designed to mimic a Microsoft login portal, capturing employee credentials’).
- [T1076] Remote Access Software – Use of Pusher legitimate service via WebSocket for real-time exfiltration of credentials (‘…an HTTP GET request is submitted to the URL ws-ap2.pusher[.]com to establish a WebSocket connection…’).
- [T1098] Account Manipulation – Attackers accessed SAP SuccessFactors portal to modify direct deposit information (‘…modified the employee’s direct deposit settings to divert paychecks into their own accounts’).
- [T1090] Proxy – Use of compromised home routers as proxy networks to mask attacker IPs and evade detection (‘…network traffic originated from numerous residential IP addresses… tied to home office routers… creating botnets sold as proxy networks’).
- [T1204] User Execution – Employees were tricked into clicking malicious links from search engine results, enabling credential theft (‘…employees tricked into handing over their credentials through malicious sites’).
Indicators of Compromise
- [IP addresses] Attacker and proxy IPs – 188.143.232[.]224 (Russia, attacker slip-up), 2600:387:f:5610[::]a (AT&T mobile IPv6), 142.196.199[.]253, 75.113.173[.]76 (residential proxy IPs)
- [File Names] Credential harvesting endpoint – “xxx.php” used to receive stolen credentials via HTTP POST requests
- [Domains] Malicious phishing and WebSocket – ws-ap2.pusher[.]com for real-time communication; multiple impersonating phishing domains detected via GreyMatter DRP