A New Kind of Search‐Engine Trap

Cyber-security specialists at ReliaQuest say they have uncovered a fresh wave of online fraud that hijacks search-engine results to trick employees into handing over their payroll passwords. The scheme, first spotted in May 2025 when it struck a large manufacturing firm, relies on advertising links that rise to the top of Google and other search sites. Workers looking for their company’s payroll portal click the sponsored result, arrive at a convincing copy of their employer’s sign-in page, and unknowingly give crooks the keys to their paychecks.

Fake Sites Tailored for Phones

The ruse is tuned for mobile traffic. When the bogus WordPress site senses a smartphone, it sends the visitor to a Microsoft-style login page that looks almost identical to the real one. Login details typed here are passed straight to a server controlled by the attackers. At the same time the page opens a two-way WebSocket line that pings the criminals the moment fresh credentials arrive. This instant alert lets them log in as the employee and edit direct-deposit settings before anyone notices.

ReliaQuest’s analysts say this mobile focus serves two goals. First, phones often lack the heavy-duty security software found on company laptops. Second, phones usually sit outside the corporate network, so the break-in produces few if any logs for defenders to review. That lack of visibility slows incident response and keeps the fake site off widely shared lists of malicious domains.

Cloaking Traffic Behind Home Networks

Tracing the break-ins back to their source proved tricky because the attackers masked their steps through hacked home routers and cellular IP addresses. Gear from brands such as ASUS and Pakedge turned up in the investigation. In many cases the routers were running with old firmware or factory passwords, making them easy pickings for automated scans. Once compromised, the devices joined a proxy botnet that the criminals used to funnel their traffic. Because the sign-in requests appeared to come from ordinary residential locations—even in the same city as the victim company—standard geo-filtering rules never fired.

VPN endpoints, by contrast, often land on blocklists because they have been abused before. Residential and mobile IPs rarely draw that scrutiny, allowing the criminals to slip past reputation checks and appear legitimate.

Echoes of Earlier Cases

ReliaQuest links this incident to two similar payroll thefts it investigated in late 2024, suggesting an ongoing campaign rather than a one-off stunt. So far no specific hacking crew has claimed responsibility, and researchers have not pinned the activity to a known group, but the overlapping methods and infrastructure point to the same hands at work.

The broader threat landscape backs this view. Around the same time, Hunt.io saw a fraudulent Adobe Shared File page that harvested Outlook passwords with the help of the popular W3LL phishing kit. Meanwhile, Proofpoint documented a separate kit it calls CoGUI that has bombarded Japanese users with more than half a billion emails since January 2025. CoGUI copies the look of brands ranging from Amazon to Rakuten and uses tricks such as geofencing and browser fingerprinting to dodge sandboxes. Although it does not capture multi-factor codes, it still nets usernames, passwords, and payment details at scale.

Investigators say CoGUI resembles another toolkit named Darcula, part of a Chinese “phishing as a service” scene sometimes labeled the Smishing Triad. Darcula leans heavily on text-message lures and focuses on grabbing credit-card data, while another newcomer, Panda Shop, automates phishing page delivery through Telegram bots and funnels stolen card numbers to underground markets. Resecurity researchers note that many operators behind these kits flaunt their activities openly, claiming Chinese jurisdiction keeps them beyond the reach of U.S. law enforcement.

Why the Mobile Angle Matters

Targeting phones is not just a convenience play; it slashes the odds of early detection. Most enterprises let staff bring their own devices and seldom install managed security apps on them. When employees use those phones to reach cloud services—payroll included—they effectively bypass several layers of defense. Attackers exploit that gap, knowing that incident responders will have limited forensic data once the fraud comes to light.

What Companies Can Do Now

ReliaQuest urges businesses to tighten defenses on two fronts: block malicious ads that imitate internal portals and harden remote devices. Simple steps such as enforcing multi-factor authentication for payroll changes, rolling out mobile security profiles, and patching or replacing aging home-office routers can raise the bar. Training employees to bookmark the genuine payroll URL—rather than Googling for it each pay period—also removes the bait the scammers rely on.

The latest attack shows how criminals blend old tricks like phishing with modern ad-placement tactics and compromised consumer hardware to reach corporate pay systems. Until organizations extend enterprise-level protection to the phones in every employee’s pocket, payroll fraudsters will keep finding ways to cash in.