A new cyberattack campaign is exploiting search engine optimization (SEO) poisoning to target employee mobile devices and commit payroll fraud, a report published by cybersecurity firm ReliaQuest said.
Detected in May 2025 targeting an unnamed manufacturing firm, the campaign involves fake login pages that mimic employee payroll portals. When unsuspecting users enter their credentials, the attackers gain access to the real payroll system and reroute paychecks to bank accounts under their control.
The attacker’s infrastructure used compromised home office routers and mobile networks to mask their traffic.
The attack begins when employees search for their company’s payroll portal on popular search engines like Google. Malicious actors use sponsored links to place deceptive lookalike websites at the top of search results. These sites redirect mobile users to a phishing page spoofing a Microsoft login screen.
Once credentials are submitted, they are exfiltrated to an attacker-controlled server and relayed in real-time through a push notifications API, giving attackers a narrow window to hijack accounts before passwords are changed.
The phishing infrastructure itself is cleverly masked, relying on residential IP addresses from compromised routers, including brands like ASUS and Pakedge, infected with malware and repurposed into proxy botnets. This tactic helps attackers evade detection by mimicking legitimate traffic patterns.
ReliaQuest linked this incident to a broader campaign observed since late 2024, although no specific hacking group has been identified.
