TZUTC: -0500   
   MSGID: 1707.consprcy@1:2320/105 2d7c81d3   
   PID: Synchronet 3.21a-Linux master/123f2d28a Jul 12 2025 GCC 12.2.0   
   TID: SBBSecho 3.28-Linux master/123f2d28a Jul 12 2025 GCC 12.2.0   
   BBSID: CAPCITY2   
   CHRS: ASCII 1   
   FORMAT: flowed   
   Scammers trick over 500,000 victims with fake Google, Bing ads to steal   
   personal info   
      
   Date:   
   Thu, 13 Nov 2025 17:04:00 +0000   
      
   Description:   
   "Payroll Pirates" have been spoofing payroll and HR platforms to scam people.   
      
   FULL STORY   
      
   Scammers have been spoofing payroll systems , credit unions, and trading   
   platforms across the US in a bid to steal login credentials and multi-factor   
   authentication (MFA) codes, experts have warned.    
      
   Cybersecurity researchers from Check Point named the perpetrators  Payroll   
   Pirates , who use paid ads on popular networks such as Google or Bing to   
   advertise spoofed payroll and HR portals.    
      
   When a victim employee searched for their platform of choice (instead of   
   simply typing in the address in the address bar), they would see the fake    
   site promoted at the top. Those that unknowingly clicked the link and tried    
   to log in effectively relayed their credentials to the attackers.   
      
   Returning stronger   
      
   Over time, the operation targeted more than 200 platforms and lured in an   
   estimated half a million users, the researchers claim.    
      
   The campaign appeared to go dormant in late 2023, but returned in mid-2024   
   with upgraded phishing kits capable of bypassing two-factor authentication .    
      
   Operators used Telegram bots to interact with victims in real time,    
   requesting one-time codes and other security answers. The kits backend was   
   also redesigned to hide data exfiltration paths, making the infrastructure   
   much harder to detect or dismantle.    
      
   Since the group runs two major infrastructure clusters, Check Point believed   
   this to be multiple different campaigns.    
      
   One uses Google Ads and white page redirects hosted in Kazakhstan and    
   Vietnam, while the other relies on Bing Ads and aged domains filtered through   
   cloaking services. However, subsequent investigation determined this was all   
   part of a single, unified network. Logs showed at least four administrators   
   managing Telegram channels tied to different targets, such as payroll   
   platforms, credit unions, and healthcare benefits portals.    
      
   They even found one of the admins posting a video from Odessa, concluding    
   that at least one of the operators was based in Ukraine. Payroll Pirates   
   remain active, constantly refining their tactics, and targeting anyone whose   
   paycheck moves online, Check Point ultimately warned.    
      
   ======================================================================   
   Link to news story:   
   https://www.techradar.com/pro/security/scammers-trick-over-500-000-victims-wit   
   h-fake-google-bing-ads-to-steal-personal-info   
      
   $$   
   --- SBBSecho 3.28-Linux   
    * Origin: capitolcityonline.net * Telnet/SSH:2022/HTTP (1:2320/105)   
   SEEN-BY: 105/81 106/201 128/187 129/14 305 153/7715 154/110 218/700   
   SEEN-BY: 226/30 227/114 229/110 206 300 307 317 400 426 428 470 664   
   SEEN-BY: 229/700 705 266/512 291/111 320/219 322/757 342/200 396/45   
   SEEN-BY: 460/58 633/280 712/848 902/26 2320/0 105 304 3634/12 5075/35   
   PATH: 2320/105 229/426