"The attacker's infrastructure
used compromised home office routers and mobile networks to mask their traffic, dodging detection and slipping past traditional security measures," the cybersecurity company
said in an analysis published last week.
"The adversary specifically targeted employee mobile devices with a fake website
impersonating the organization's login page. Armed with stolen credentials, the adversary gained access to the organization's payroll portal, changed direct deposit information, and redirected employees' paychecks into their own accounts."
It all starts when an employee searches for their company's payroll portal on search engines like Google, with deceptive lookalike websites surfacing to the top of the results using sponsored links. Those who end up clicking on the bogus links are led to a WordPress site that redirects to a phishing page mimicking a Microsoft login portal when visited from a mobile device.
On top of that, the
targeting of employee mobile devices offers twofold advantages in that they lack enterprise-grade security measures typically available in desktop computers and they connect outside of the corporate network, effectively reducing visibility and hampering investigation efforts.
thehackernews.com
