Threat Spotlight: Hijacked Routers and Fake Searches Fueling Payroll Heist

Key Points

ReliaQuest investigated a unique search engine optimization (SEO) poisoning attack targeting mobile devices, where attackers stole credentials via fake login pages to access the employee payroll portal and reroute paychecks.

The attacker’s infrastructure used compromised home office routers and mobile networks to mask their traffic, dodging detection and slipping past traditional security measures.

To defend against such attacks, organizations should secure payroll portals with multifactor authentication (MFA) and conditional access policies, investigate unauthorized direct deposit changes, and educate employees to authenticate through trusted methods like single sign-on (SSO) only.

In May 2025, ReliaQuest uncovered a unique search engine optimization (SEO) poisoning attack that led to payroll fraud affecting a customer in the manufacturing sector. SEO poisoning is a highly deceptive tactic where attackers create fake authentication portals mimicking legitimate organizations. The malicious sites rank at the top of search results, tricking employees into unknowingly handing over their credentials.

In this attack, the adversary specifically targeted employee mobile devices with a fake website impersonating the organization’s login page. Armed with stolen credentials, the adversary gained access to the organization’s payroll portal, changed direct deposit information, and redirected employees’ paychecks into their own accounts.

The tactics, techniques, and procedures (TTPs) observed in this attack closely mirror two investigations we conducted in late 2024, suggesting that the attack is part of a broader, ongoing campaign.

Organizations across all sectors should take note of the attack detailed in this report and thoroughly evaluate their payroll portal security controls. Ignoring this threat could open the door to significant financial losses, a breakdown in employee trust, payroll disruptions, and hefty penalties for non-compliance with data protection regulations.

In this report, we take a deep dive into our investigations of the attack, uncovering the chain of events and the unique techniques that set this campaign apart. These include targeting mobile devices over computers and abusing the legitimate messaging service Pusher to receive instant notifications of stolen credentials—allowing the attacker to avoid detection while leeching employees’ wages.

To strengthen your security posture and protect your organization from similar threats, we provide actionable recommendations to counter the key TTPs identified in this attack.

From SEO Poisoning to Stolen Paychecks

It Starts with a Search

Our investigation began after detecting a threat actor authenticating to a customer’s environment and logging into SAP SuccessFactor, a human resources platform. Once inside, they modified the employee’s direct deposit settings to divert paychecks into their own accounts. This left us asking: How did the attacker obtain the employee’s credentials?

Initially, we suspected SEO poisoning attacks, but our initial research found no evidence of this. However, further testing with mobile devices revealed that the attacker’s website appeared as the top search result when we Googled the customer’s company name alongside keywords like “payroll” and “portal.” To achieve this, the attacker almost certainly adjusted Google advertisement settings to target mobile devices (see Figure 1).

Figure 1: Malicious website prompted via SEO (identifying customer details have been redacted)

Attackers gain two key advantages by targeting employee mobile devices:

• Employee mobile devices usually connect to guest Wi-Fi networks (or stay disconnected entirely), which lack enterprise-grade security measures like web traffic filtering to block access to malicious sites.

• Employees who visit malicious sites—typically out of hours—don’t use the corporate network. This means network traffic to the malicious website isn’t logged, hindering investigation efforts and making it difficult to trace which employee accounts were compromised from the site.

Why Does This Matter?

Phishing attacks targeting off-network devices, like mobile phones, create big challenges for organizations, as they expose gaps that on-premises and cloud networks often overlook. These devices typically lack proper security and logging, leaving organizations in the dark when employee credentials are stolen—and unable to act fast enough.

To mitigate this risk, businesses must secure authentication portals and avoid over-relying on security tools to keep credentials safe. After all, credentials can be compromised in many ways, whether through off-network phishing attacks (as in this case) or third-party breaches leaking sensitive data.

The Digital Doppelganger

When users clicked the malicious link, they were led to a WordPress website. On workstations, the website had no meaningful content but, when accessed from a mobile device, it redirected to a phishing page designed to mimic a Microsoft login portal, capturing employee credentials (see Figure 2). By targeting unprotected mobile devices that lack security solutions and logging, this tactic not only evades detection but also disrupts efforts to analyze the phishing website. This prevents security teams from scanning the site and adding it to indicator of compromise (IOC) threat feeds, further complicating mitigation efforts.

Figure 2: Microsoft login credential harvester

When credentials are submitted to the phishing page, an HTTP POST request is sent to an attacker-controlled website containing the file "xxx.php." This PHP file handles the HTTP POST requests and was also observed in the two previous investigations from late 2024, making it highly likely that the same adversary is behind all three attacks.

In addition, when credentials are entered, an HTTP GET request is submitted to the URL ws-ap2.pusher[.]com to establish a WebSocket connection. WebSockets are protocols that enable real-time, two-way communication between a client and a server over a persistent connection.

The JavaScript code below was taken from a file present on the phishing website, named “analytics.js.” The file initializes the Pusher WebSocket associated with the attacker’s application key 24b4d4cd17db28a86437.

Pusher is a legitimate cloud-based platform that provides real-time communication services for websites and mobile applications. It allows developers to implement real-time features, such as notifications and messaging, into applications.

After a WebSocket connection is established, Pusher assigns the connection a socket ID. Rather than relying on traditional webserver logs—which need accessing periodically and would introduce delays—this connection gives the attacker a live view of traffic to the malicious domain. The attacker deliberately set up this feature to receive instant notifications of stolen credentials, enabling the attacker to reuse them as quickly as possible before they are changed.

Why Does This Matter?

This phishing attack exposes user credentials without any monitoring or safeguards to block the activity, leaving organizations completely in the dark. By using Pusher, the attacker gains quick access to authentication portals, reusing compromised credentials. This highlights a critical vulnerability: Organizations with lax authentication controls can be easily caught off guard by attacks targeting employees’ off-network personal devices, where traditional security measures often fall short.

The Router Cloak: Sneaking Into Payroll Systems

After harvesting the employee’s credentials, the attacker wasted no time in using them to log into the customer’s payroll portal. Then, we observed the following behavior:

• The attacker first authenticated to the compromised account from IP address 2600:387:f:5610[::]a, associated with telecommunications company AT&T.

• Next, the attacker accessed the organization’s SharePoint and viewed the file Update_Direct_Deposit_Information.pdf from the same IP address.

• The attacker was later blocked from authenticating from the source IP address 188.143.232[.]224, located in Russia. This attempt was likely a mistake, as the attacker failed to use a proxy and inadvertently exposed their true location.

• Subsequent successful authentications originated from residential IP addresses, such as 142.196.199[.]253 and 75.113.173[.]76. This allowed the attacker to evade detection, maintain access, and change the direct deposit routing of compromised accounts via the SAP SuccessFactors portal.

The attacker’s network traffic originated from numerous residential IP addresses. Upon investigation, we found that many of these IP addresses were tied to home office routers, including popular brands like ASUS and Pakedge (see Figure 3). These routers are often easy targets for attackers, who exploit weaknesses like default credentials or the absence of rate limiting to launch unrestricted brute-force attacks.

Adding to the problem, outdated firmware can expose routers to serious vulnerabilities like CVE-2024-3080 and CVE-2025-2492, giving attackers another way to break in. Once compromised, these routers are then infected with malware to create botnets, which are subsequently sold as proxy networks on criminal marketplaces.

Figure 3: Device fingerprint of IP address, 142.196.199[.]253

Proxy networks are prized tools for cybercriminals: They’re low-cost yet highly effective, with pricing models that include monthly subscriptions, pay-per-IP, or data usage. Advertised costs can be as low as $0.77 per gigabyte of data (see Figure 4). These networks allow attackers to disguise their activity by sourcing network traffic from trusted residential IP addresses in safe locations, bypassing security measures and blending in with normal network traffic. This threatens organizational security efforts, rendering traditional detection measures ineffective, opening the door to unauthorized access, and making threat identification a much harder battle.

Proxy networks bring in big money, as demonstrated by the FBI investigation into the Anyproxy and 5socks botnet services. Hackers behind the operation infected older-model wireless routers and sold access to them, bringing in over $46 million in revenue. With subscription fees starting at just $9.95 per month and over 7,000 proxies advertised globally, this case highlights the huge demand and profitability of proxy services within the criminal underground.

Figure 4: Proxy service provider advertising on “sinister[.]ly”

Why Does This Matter?

When attackers use proxy networks, especially ones tied to residential or mobile IP addresses, they become much harder for organizations to detect and investigate. Unlike VPNs, which are often flagged because their IP addresses have been abused before, residential or mobile IP addresses let attackers fly under the radar and avoid being classified as malicious. What’s more, proxy networks allow attackers to make their traffic look like it originates from the same geographical location as the target organization, bypassing security measures designed to flag logins from unusual or suspicious locations.

Stopping the Paycheck Heist

ReliaQuest’s Approach

ReliaQuest GreyMatter uses agentic AI and bespoke detections to automatically detect, investigate, and respond to attacks like the one detailed in this report. To compliment this, GreyMatter Digital Risk Protection (DRP) strengthens security through brand monitoring and the detection of impersonating websites, enabling even quicker responses to prevent fraudulent activity.

As highlighted in this report, adversaries are becoming stealthier than ever. To avoid the damaging consequences of a full-blown attack, swift containment is critical once attacks are identified. Below are some of the ways ReliaQuest keeps organizations protected, stopping attackers in their tracks with speed and precision.

Threat Intelligence: ReliaQuest continuously tracks evolving TTPs used in SEO poisoning campaigns to enhance detection and threat hunting capabilities. IOCs linked to these attacks, such as malicious domains and phishing websites, are quickly integrated into GreyMatter threat feeds to enable proactive monitoring and rapid response.

Threat Hunting: ReliaQuest actively hunts for threats, including traffic from identified proxy networks, suspicious domains, unauthorized access attempts, and unusual network activity. By analyzing behavioral patterns and leveraging advanced detection techniques, we help organizations identify and mitigate risks before they escalate into security breaches.

Digital Risk Protection: GreyMatter DRP proactively monitors for impersonating domains, phishing websites, and other external threats that target organizations. By identifying these risks early, GreyMatter DRP accelerates response times and helps safeguard brand reputation, employee data, and critical assets.

Detection Rules: For comprehensive protection, we recommend deploying detection rules informed by ReliaQuest’s threat intelligence. These rules are designed to identify malicious activity, unauthorized access attempts, and other suspicious behaviors. With agentic AI enhancing analysis and investigation, these rules significantly reduce the likelihood of successful attacks.

GreyMatter Automated Response Playbooks: For the fastest containment and response, deploy Automated Response Playbooks like “Terminate Active Session,” “Reset Password,” and “Block IP” to stop attackers from accessing sensitive applications like payroll software. For an extra layer of security, we recommend setting these playbooks to “RQ Approved” to let ReliaQuest contain threats on your behalf.

Your Action Plan

Follow these steps to protect your organization from SEO poisoning campaigns:

• Educate employees to access payroll portals using only trusted methods, such as through single sign-on (SSO) or by navigating directly to the portal. Encourage employees to bookmark domains to avoid relying on search engines.

• Require multifactor authentication (MFA) to authenticate to payroll portals. Strengthen MFA with conditional access policies and enforce device-based certificates to counter the use of residential IP addresses and interception of session tokens, which can render MFA and conditional access policies ineffective.

• Set up alerts and notifications in payroll software to inform employees when direct deposit information is changed. This ensures employees are notified if their deposit routing information is altered without authorization. Implement clear processes for employees to follow if unauthorized changes occur.

• Monitor for impersonating domains with services like GreyMatter DRP to proactively identify and quickly take down fraudulent websites. These tools enable early detection and response, allowing organizations to prevent fraud and protect their employees and assets.

IOCs