Abnormal Attack Stories: COVID-19 Payroll Fraud

April 8, 2020

Abnormal Security

Abnormal Security

In this attack, attackers are impersonating an HR and payroll services company to attempt to steal those credentials from unsuspecting employees under the guise of changes being made due to COVID-19 and work from home policies.

Quick Summary

  • Platform: Office 365
  • # Mailboxes: Between 20,000 and 50,000
  • Email Gateway: Proofpoint
  • Email Security: Office 365
  • Victims: Managers, HR, Payroll
  • Payload: Malicious Link
  • Technique: Impersonation
  • Threat Actor: Compromised EDU accounts

What was the attack?

  • Setup: This attack leverages changes in payroll–or expectations about potential changes in payroll–as many employees work from home due to COVID-19. As a result, employees who previously received physical paychecks are transitioning to online HR and payroll services.
  • Email Attack: This attacker crafted a convincing email and landing page that appeared to come from an HR and payroll services company. The email sent by the attackers claims to be sent by the payroll company with information needed to process payroll from home which can be accessed by signing into the link provided.
  • Payload: The email contains a link to a fake HR and payroll services website. The URL is masked with a link, and the real URL takes the victims to a site hosted at “http://mmz-servis.by/” or “http://candyroxshop.com/”, which attackers likely control and will use to steal login credentials of payroll and HR administrators.
  • Result: Should recipients fall victim to this attack, sensitive information stored by the HR and payroll services company to process payrolls for employees would be compromised.

Why is this attack effective?

  • Urgency: This attack leverages the COVID-19 pandemic, where many employees are transitioning to working from home, to urge the victim to ensure that their organization has provided the proper information to process payroll electronically. The attack mimics an automatic email that reminds the victim to login and check that payroll is properly set up. This specific attack targets managers, HR, and payroll who may expect a similar legitimate email and therefore be less scrutinizing of the attack.
  • Convincing email and landing page: The email and landing page that the attacker created were convincing. The landing page almost replicates the true HR and payroll company’s landing page landing page. Recipients would be hard-pressed to understand that this was, in fact, a site designed specifically to steal their credentials.
  • Concealed URL: The URLs where the landing page were ultimately hosted (http://mmz-servis.by/wordpress/wp-content/ and http://candyroxshop.com/city/verification/) were clearly not a site owned or run by the HR and payroll company. However, the email concealed this URL, and the attackers likely expected that recipients would be too convinced by the landing page they created to double-check that the URL was valid.

About

Abnormal Attack Stories are real world examples of attacks that we’ve seen in the wild.

Targeted Email Attack

(click to enlarge)

Payload

(click to enlarge)

Techniques to Detect

(click to enlarge)

Subscribe to receive twice-monthly updates of the latest attacks we've detected in the wild:

Related content

COVID-19-related attack deep dives

Like our article? Share our content