News
Payroll pirates are hijacking ads to steal your logins and paychecks
The Payroll Pirates are on the prowl, using Telegram bots and MFA bypass tactics to swipe work logins and security codes from users worldwide.
Just a heads up, if you buy something through our links, we may get a small share of the sale. It’s one of the ways we keep the lights on here. Click here for more.
Cyber crooks dubbed the “Payroll Pirates” are ramping up their game, hijacking search ads to pilfer your work logins and security codes, reports 9to5Mac.
These digital buccaneers are spoofing over 200 legit HR, payroll, credit union, and trading sites, potentially screwing over half a million users worldwide.
How the Scam Works: From Search to Stolen Credentials
Here’s how it works: You’re googling your company’s payroll portal on Google or Bing, and bam—a slick ad pops up promising easy access. Click it, and you’re funneled to a phony login page that looks identical to the real deal.
They snag your username, password, and even those precious multi-factor authentication (MFA) codes, rendering your extra security layer useless.
The crew went radio silent late last year but resurfaced mid-2024 with souped-up phishing kits that dodge MFA like pros.
The Pirates’ New Arsenal: Telegram Bots and MFA Bypass Tactics
Now, they’re using Telegram bots for live chats, sweet-talking victims into coughing up one-time codes or secret answers in real time.
Their backend’s been overhauled to mask data theft routes, making it tougher for security folks to track.
This operation’s got tentacles in Kazakhstan and Vietnam, leaning on sneaky, cloaked, and aged domains to stay under the radar.
Logs show at least four admins running Telegram channels tailored to sectors like payroll, banking, and health benefits. One even bragged in a video from Odessa, Ukraine, hinting at a local operator.
Protect Your Paycheck: Defense Strategies Against Phishing Attacks
These pirates aren’t sailing off anytime soon—they’re tweaking tactics on the fly.
Pro Tip: Double-check URLs, avoid ad-driven links for sensitive stuff, and report sketchy sites. Here are some additional steps you can take:
- Check Have I Been Pwned: Head to haveibeenpwned.com and enter your email to see if you’re in any known breaches.
- Change your password immediately: Use a unique, strong password (none of that Password123 nonsense).
- Enable 2FA: Two-factor authentication is your best friend right now.
- Review account activity: Check your Gmail security settings for any suspicious logins
- Update passwords everywhere: If you reused that Gmail password (tsk tsk), change it on every site
The Payroll Pirates aren’t going anywhere—they’re getting smarter and bolder by the day. Your best defense? Skip search ads for sensitive sites, bookmark the real ones, and never trust anyone asking for your codes via chat.
Follow us on Flipboard, Google News, or Apple News
