Scammers trick over 500,000 victims with fake Google, Bing ads to steal personal info

News
By published

If you're moving your paycheck online, you are a target

A laptop on a lap with 100 dollar bills flying out
(Image credit: Shutterstock/Africa Studio)
  • Payroll Pirates spoofed HR platforms via ads to steal credentials and MFA codes
  • Over 200 platforms were targeted, affecting around half a million users
  • Telegram bots enabled real-time phishing, infrastructure spanned Kazakhstan, Vietnam, and cloaked domains

Scammers have been spoofing payroll systems, credit unions, and trading platforms across the US in a bid to steal login credentials and multi-factor authentication (MFA) codes, experts have warned.

Cybersecurity researchers from Check Point named the perpetrators ‘Payroll Pirates’, who use paid ads on popular networks such as Google or Bing to advertise spoofed payroll and HR portals.

When a victim employee searched for their platform of choice (instead of simply typing in the address in the address bar), they would see the fake site promoted at the top. Those that unknowingly clicked the link and tried to log in effectively relayed their credentials to the attackers.

Returning stronger

Over time, the operation targeted more than 200 platforms and lured in an estimated half a million users, the researchers claim.

The campaign appeared to go dormant in late 2023, but returned in mid-2024 with upgraded phishing kits capable of bypassing two-factor authentication.

Operators used Telegram bots to interact with victims in real time, requesting one-time codes and other security answers. The kits’ backend was also redesigned to hide data exfiltration paths, making the infrastructure much harder to detect or dismantle.

Since the group runs two major infrastructure clusters, Check Point believed this to be multiple different campaigns.

One uses Google Ads and “white page” redirects hosted in Kazakhstan and Vietnam, while the other relies on Bing Ads and aged domains filtered through cloaking services. However, subsequent investigation determined this was all part of a single, unified network. Logs showed at least four administrators managing Telegram channels tied to different targets, such as payroll platforms, credit unions, and healthcare benefits portals.

They even found one of the admins posting a video from Odessa, concluding that at least one of the operators was based in Ukraine. Payroll Pirates remain active, constantly refining their tactics, and targeting anyone whose paycheck moves online, Check Point ultimately warned.

Best antivirus software header
The best antivirus for all budgets

➡️ Read our full guide to the best antivirus
1. Best overall:
Bitdefender Total Security
2. Best for families:
Norton 360 with LifeLock
3. Best for mobile:
McAfee Mobile Security

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!

And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.