SEO poisoning attack diverts wages using fake payroll websites

Cybersecurity firm ReliaQuest has released an analysis of a search engine optimisation (SEO) poisoning campaign that led to payroll fraud at a manufacturing sector client.

The attack, which was discovered in May 2025, involved adversaries creating a fake website resembling the victim organisation's login page, specifically targeting employees' mobile devices. Using credentials obtained through this fraudulent site, the attacker accessed the company's payroll portal, altered direct deposit details, and diverted employees' wages into their own accounts.

ReliaQuest's security researchers noted that the tactics, techniques, and procedures (TTPs) associated with this incident closely align with those observed in two investigations from late 2024. This suggests the operation may be part of a wider, ongoing campaign targeting multiple organisations.

SEO poisoning is a technique in which attackers use deceptive websites designed to mimic legitimate portals. These malicious pages are promoted to rank highly in search engine results, luring victims into providing their credentials. In this recent case, when employees searched for terms related to payroll or their company's portal using a mobile device, the attacker's site would appear top in the results, significantly increasing the likelihood of a successful breach.

The attackers targeted employee mobile devices for two main reasons: many of these devices connect through guest Wi-Fi or remain disconnected from secure enterprise networks, making it easier to evade enterprise-grade security measures such as web traffic filtering. Visits often occurred outside working hours, meaning activity was not logged by company systems, hindering investigation and making it difficult to trace affected accounts.

ReliaQuest highlighted, "Phishing attacks targeting off-network devices, like mobile phones, create big challenges for organisations, as they expose gaps that on-premises and cloud networks often overlook. These devices typically lack proper security and logging, leaving organisations in the dark when employee credentials are stolen - and unable to act fast enough."

Upon clicking the malicious link from a mobile device, users were redirected to a phishing site mimicking a Microsoft login page, while users accessing the page from a workstation saw no significant content. This approach complicated efforts to detect and analyse the fraudulent website, as it both evaded detection by security tools and disrupted threat analysis.

Captured credentials were sent to an adversary-controlled site using a PHP script also observed in previous incidents, strengthening the link between these attacks. Immediately after credentials were entered, an HTTP GET request established a WebSocket connection via Pusher, a genuine platform for real-time web communication. The phishing site's code enabled the attacker to receive stolen credentials in real time, allowing them to act quickly before passwords were reset.

ReliaQuest explained the significance: "This phishing attack exposes user credentials without any monitoring or safeguards to block the activity, leaving organisations completely in the dark. By using Pusher, the attacker gains quick access to authentication portals, reusing compromised credentials. This highlights a critical vulnerability: Organisations with lax authentication controls can be easily caught off guard by attacks targeting employees' off-network personal devices, where traditional security measures often fall short."

After harvesting credentials, the attacker accessed the payroll system from a residential IP address tied to telecommunications services, reviewed documents related to direct deposit changes, and amended payroll information to divert funds. Security logs later revealed additional access attempts from both US-based and Russian IP addresses, one of which was blocked. The attacker ultimately relied on residential IPs, making their activities difficult to distinguish from legitimate network traffic.

ReliaQuest found that traffic originated from home office routers and mobile networks, with many routers identified as brands commonly targeted for compromise. Weak passwords, unpatched firmware, and vulnerabilities such as CVE-2024-3080 and CVE-2025-2492 were exploited to form botnets, whose proxies were sold on criminal marketplaces. Proxy network services, sometimes costing as little as $0.77 per gigabyte, enable attackers to disguise their activities by using apparently trustworthy residential IPs.

The report referenced law enforcement actions such as the FBI's investigation into the Anyproxy and 5socks botnet services, which together generated over $46 million in criminal revenue, illustrating the market demand for residential proxy services.

The use of proxy networks prevents standard network-based security methods from flagging suspicious access. ReliaQuest stated, "When attackers use proxy networks, especially ones tied to residential or mobile IP addresses, they become much harder for organisations to detect and investigate. Unlike VPNs, which are often flagged because their IP addresses have been abused before, residential or mobile IP addresses let attackers fly under the radar and avoid being classified as malicious. What's more, proxy networks allow attackers to make their traffic look like it originates from the same geographical location as the target organisation, bypassing security measures designed to flag logins from unusual or suspicious locations."

ReliaQuest recommends organisations strengthen security controls by requiring multifactor authentication (MFA) and using conditional access policies on payroll portals. Employees should be regularly educated about accessing payroll systems only through approved channels such as single sign-on (SSO), and be encouraged to bookmark official portal addresses rather than relying on search engines. Monitoring payroll changes and maintaining clear incident response procedures are also advised.