\nThe relentless battle against online fraud is a constant evolution, a digital chase where security teams and malicious actors continually adapt. The increasing sophistication of attacks is blurring the lines between legitimate user behavior and impersonation attempts.<\/p>\n
The campaign we are exposing today is a reminder that even the most advanced security technologies do not dissuade threat actors. We discovered a new phishing kit targeting payroll and payment platforms that aims to not only steal victims’ credentials but also to commit wire fraud.<\/p>\n
Our investigation began with a fraudulent search ad for Deel, a payroll and human resources company. Clicking on the ad sent employees and employers to a phishing website impersonating Deel.<\/p>\n
Beside stealing usernames, passwords and circumventing two factor authentication, we identified malicious code capable of performing additional nefarious actions unbeknownst to the victim. Using a fully authenticated web worker, this phishing kit is using a legitimate hosted web service called Pusher with the intent of manipulating sensitive profile data fields related to banking and payment information.<\/p>\n
While we were working this case, the FBI issued a public service announcement (PSA250424) warning people that cyber criminals are _using search engine advertisements to impersonate legitimate websites_ and _expanded to target payroll, unemployment programs, and health savings accounts with the goal of stealing money through fraudulent wire transactions or redirecting payments_.<\/p>\n
The Google ad was taken down quickly, and we have informed Deel and MessageBird (Pusher’s parent company) about the misuse of their respective platforms.<\/p>\n
## Search results ad targets Deel<\/p>\n
Deel is a US-based payroll and human resources company founded in 2019 Deel whose platform is designed to streamline the complexities of managing a global workforce, offering solutions for payroll, HR, compliance, and more.<\/p>\n
We first identified a malicious Google Search ad for Deel in mid April for the keywords ‘_deel login_ ‘. The top link is a sponsored search result, appearing just above the organic search result for Deel’s official website.<\/p>\n
The URL in the ad (_deel[.]za[.]com_) uses the .ZA.COM subdomain of .COM targeting South Africa, essentially an alternative to the .CO.ZA extension. That URL is used as a redirect only, allowing the threat actors to use cloaking in order to redirect clicks to decoy websites (white page) or phishing domains they can rotate.<\/p>\n
<\/p>\n
## Phishing portal and 2FA<\/p>\n
The first phishing domain we saw was _login-deel[.]app_ but at the time we checked it did not resolve. Shortly thereafter, the same Google ad URL pointed to a new domain, _accuont-app-deel[.]cc_.<\/p>\n
The phishing page is a replica of Deel’s login page with one minor difference: _the Log in using Google_ and _Continue with QR code_ options are disabled, only leaving the user name and password fields for authentication.<\/p>\n
<\/p>\n
After entering their credentials, victims are social engineered by the crooks to type a security code that was sent to their email address. While two-factor authentication is a great added security feature, we can see that it can be rendered useless when victims authenticate into the wrong website.<\/p>\n
<\/p>\n
On the surface, this looks just like another phishing site, until you look deeper and discover more intriguing code.<\/p>\n
## Traffic analysis<\/p>\n
To better understand how this phishing kit works, we recorded a network capture showing the web requests sent and received. This allowed us to identify several interesting components that make this phishing campaign unique.<\/p>\n
Of particular interest are several JavaScript libraries, namely _pusher.min.js_ , _Worker.js_ and _kel.js_.<\/p>\n
<\/p>\n
The phishing kit uses anti-debugging techniques to prevent us from stepping through its code. This is a common practice to hide malicious intent and makes analysis more time consuming.<\/p>\n
<\/p>\n
## Scripts analysis<\/p>\n
Looking at the files that the anti-debugger is trying to conceal, we see that only one is human readable, while the other two are heavily obfuscated using _obfuscator.io_. The _pusher.min.js_ JavaScript file is a legitimate library from Pusher, a hosted web service that uses APIs, developer tools and libraries to manage connections between servers and clients using technologies like WebSockets.<\/p>\n
<\/p>\n
There seems to be two different types of sessions, based on the functions named _createBankSession_ and _createCardSession_. When attempting to login into the phishing site, we see a session_type value of “bank” which belongs to the former function.<\/p>\n
<\/p>\n
The _kel.js_ and Worker.js files are both used for authenticating the victim into the real Deel website while a web worker communicates with the threat actor’s infrastructure for processing the credentials and to receive the OTP code to get past two-factor authentication.<\/p>\n
<\/p>\n
WebSockets are a persistent communication protocol that allows for full-duplex communication between a user’s browser and a server. This means data can be pushed from the server to the client in real-time without the client having to constantly request it.<\/p>\n
Here’s an example of a WebSocket communication where the user provided the wrong login credentials:<\/p>\n
<\/p>\n
The conversation begins with a `pusher:connection_established` message, confirming a successful connection to the Pusher real-time service and providing a unique `socket_id` and an `activity_timeout` of 120 seconds.<\/p>\n
Next, a `pusher:subscribe` message shows the client requesting to listen for events on a specific channel identified by a unique session ID, indicating a desire to receive real-time updates for that session.<\/p>\n
The server then acknowledges this request with a `pusher_internal:subscription_succeeded` message for the same channel, confirming that the client is now successfully subscribed and will receive broadcasts.<\/p>\n
Finally, an `events` message is received on that session channel, carrying data indicating a “wrongLogin” event has occurred and instructing the client-side application to “Show” something, likely an error message to the user in real-time.<\/p>\n
## Additional targets<\/p>\n
This phishing kit is unique and can be tracked with the following characteristics:<\/p>\n
* Obfuscator.io
* Pusher WebSockets
* _Worker.js_ library
* _kel.js_ \/_otp.js_ \/_auth.js\/jquery.js_ library<\/p>\n
We identified several other targets, related to payroll, HR, billing, payment solutions and even commerce platform Shopify. The earliest use we could find goes back to July 2024, but it appears to have flown under the radar.<\/p>\n
**Justworks** : Payroll, benefits, HR, and compliance \u2014 all in one place.<\/p>\n
<\/p>\n
**Marqeta** : End to end credit and payment solutions integration into business processes<\/p>\n
<\/p>\n
**Shopify** : Commerce platform<\/p>\n
<\/p>\n
**OmniFlex** (Worldpay): online point of sale solution<\/p>\n
<\/p>\n
## Conclusion<\/p>\n
The FBI’s PSA highlights several key measures businesses can adopt to protect users related to the following:<\/p>\n
* Domain spoofing: Brand impersonation is a real problem that companies need to proactively lookout for.
* Notifications: Victims need to be alerted in several different ways in a timely manner.
* Education: Phishing is getting more sophisticated and users need to be aware of how to best protect themselves.<\/p>\n
In that same report, the FBI advises consumers to check the URL to make sure the site is authentic before clicking on an advertisement. This is usually a sound practice, but as we have documented it on this blog many times, URLs within ads can be spoofed also.<\/p>\n
Ultimately, the discovery of this phishing kit, with its advanced capability to interact with financial data, reinforces a critical message: online security is a shared responsibility. Users must exercise caution and critical thinking in their online interactions while enhancing their security with available tools; platforms must remain committed to detecting and preventing abuse.<\/p>\n
Browser extensions such as Malwarebytes Browser Guard will block ads but also the scams or malware sites associated with these schemes.<\/p>\n
* * *<\/p>\n
**We don ‘t just report on threats – we help safeguard your entire digital identity**<\/p>\n
Cybersecurity risks should never spread beyond a headline. Protect your\u2014and your family’s\u2014personal information by using identity protection.<\/p>\n
## Indicators of Compromise<\/p>\n
Redirect<\/p>\n
deel[.]za[.]com<\/p>\n
Phishing domains<\/p>\n
login-deel[.]app
accuont-app-deel[.]cc
justvvokrs-login[.]cc
vye-starr[.]net
maqreta[.]com
ctelllo[.]com
angelistt[.]com
account[.]datedeath[.]com
account[.]turnkeycashsite[.]com
admin-shopffy[.]cc
biilll[.]com
app-parker[.]com
shluhify[.]com
login-biil[.]net
founderga[.]com
admin-shoopiffy[.]com
access-shupfify[.]com
virluaterminal[.]net<\/p>\n
Worker.js (SHA256)<\/p>\n
56755aaba6da17a9f398c3659237d365c52d7d8f0af9ea9ccde82c11d5cf063f<\/p>\n
kel.js\/otp.js\/auth.js\/jquery.js (SHA256)<\/p>\n
72864bd09c09fe95360eda8951c5ea190fbb3d3ff4424837edf55452db9b36fb
6fb006ecc8b74e9e90d954fa139606b44098fc3305b68dcdf18c5b71a7b5e80f
908a128f47b7f34417053952020d8bbdacf3aed1a1fcf4981359e6217b7317c9
5dadc559f2fb3cff1588b262deb551f96ff4f4fc05cd3b32f065f535570629c3
0ef66087d8f23caf2c32cc43db010ffe66a1cd5977000077eda3a3ffce5fa65f
95d008f7f6f6f5e3a8e0961480f0f7a213fa7884b824950fe9fb9e40d918a164
3e4e78a3e1c6a336b17d8aed01489ab09425b60a761ff86f46ab08bfcf421eac
a37463862628876cecfc4f55c712f79a150cdc6ae3cf2491a39cc66dadcf81eb
15606c5cd0e536512a574c508bd8a4707aace9e980ab4016ce84acabed0ad3be
81bcf866bd94d723e50ce791cea61b291e1f120f3fc084dc28cbe087b6602573
1665387c632391e26e1606269fb3c4ddbdf30300fa3e84977b5974597c116871
c56e277fd98fc2c28f85566d658e28a19759963c72a0f94f82630d6365e62c4f\n<\/div>\n
View Advisory Details<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"Security Update News Update Information Title Cyber criminals impersonate payroll, HR and benefits platforms to steal information and funds Update ID MALWAREBYTES:C4969F80FC21011210563A880B97CC62 Type malwarebytes Published…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[6,8,34,12,115,13,33,7,11,5],"class_list":["post-3644","post","type-post","status-publish","format-standard","hentry","category-category_news","tag-cve","tag-cvss","tag-cvss-00","tag-exploit","tag-malwarebytes","tag-news","tag-none","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n
Cyber criminals impersonate payroll, HR and benefits platforms to steal information and funds - zero redgem<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/zero.redgem.net\/?p=3644\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Cyber criminals impersonate payroll, HR and benefits platforms to steal information and funds - zero redgem\" \/>\n<meta property=\"og:description\" content=\"Security Update News Update Information Title Cyber criminals impersonate payroll, HR and benefits platforms to steal information and funds Update ID MALWAREBYTES:C4969F80FC21011210563A880B97CC62 Type malwarebytes Published...\" \/>\n<meta property=\"og:url\" content=\"https:\/\/zero.redgem.net\/?p=3644\" \/>\n<meta property=\"og:site_name\" content=\"zero redgem\" \/>\n<meta property=\"article:published_time\" content=\"2025-05-08T13:37:44+00:00\" \/>\n<meta name=\"author\" content=\"invoker\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"invoker\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"8 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=3644#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=3644\"},\"author\":{\"name\":\"invoker\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/person\\\/fbfeae8dfad117ac08a7621bee1a1dca\"},\"headline\":\"Cyber criminals impersonate payroll, HR and benefits platforms to steal information and funds\",\"datePublished\":\"2025-05-08T13:37:44+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=3644\"},\"wordCount\":1716,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\"},\"keywords\":[\"CVE\",\"CVSS\",\"CVSS-0.0\",\"exploit\",\"malwarebytes\",\"news\",\"NONE\",\"Security\",\"tapic\",\"Vulnerability\"],\"articleSection\":[\"category_news\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/zero.redgem.net\\\/?p=3644#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=3644\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/?p=3644\",\"name\":\"Cyber criminals impersonate payroll, HR and benefits platforms to steal information and funds - zero redgem\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#website\"},\"datePublished\":\"2025-05-08T13:37:44+00:00\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=3644#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/zero.redgem.net\\\/?p=3644\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=3644#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/zero.redgem.net\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Cyber criminals impersonate payroll, HR and benefits platforms to steal information and funds\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#website\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/\",\"name\":\"zero redgem\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/zero.redgem.net\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\",\"name\":\"zero redgem\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"\",\"contentUrl\":\"\",\"width\":191,\"height\":188,\"caption\":\"zero redgem\"},\"image\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/logo\\\/image\\\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/person\\\/fbfeae8dfad117ac08a7621bee1a1dca\",\"name\":\"invoker\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"caption\":\"invoker\"},\"sameAs\":[\"https:\\\/\\\/zero.redgem.net\"],\"url\":\"https:\\\/\\\/zero.redgem.net\\\/?author=1\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Cyber criminals impersonate payroll, HR and benefits platforms to steal information and funds - zero redgem","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/zero.redgem.net\/?p=3644","og_locale":"en_US","og_type":"article","og_title":"Cyber criminals impersonate payroll, HR and benefits platforms to steal information and funds - zero redgem","og_description":"Security Update News Update Information Title Cyber criminals impersonate payroll, HR and benefits platforms to steal information and funds Update ID MALWAREBYTES:C4969F80FC21011210563A880B97CC62 Type malwarebytes Published...","og_url":"https:\/\/zero.redgem.net\/?p=3644","og_site_name":"zero redgem","article_published_time":"2025-05-08T13:37:44+00:00","author":"invoker","twitter_card":"summary_large_image","twitter_misc":{"Written by":"invoker","Est. reading time":"8 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/zero.redgem.net\/?p=3644#article","isPartOf":{"@id":"https:\/\/zero.redgem.net\/?p=3644"},"author":{"name":"invoker","@id":"https:\/\/zero.redgem.net\/#\/schema\/person\/fbfeae8dfad117ac08a7621bee1a1dca"},"headline":"Cyber criminals impersonate payroll, HR and benefits platforms to steal information and funds","datePublished":"2025-05-08T13:37:44+00:00","mainEntityOfPage":{"@id":"https:\/\/zero.redgem.net\/?p=3644"},"wordCount":1716,"commentCount":0,"publisher":{"@id":"https:\/\/zero.redgem.net\/#organization"},"keywords":["CVE","CVSS","CVSS-0.0","exploit","malwarebytes","news","NONE","Security","tapic","Vulnerability"],"articleSection":["category_news"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/zero.redgem.net\/?p=3644#respond"]}]},{"@type":"WebPage","@id":"https:\/\/zero.redgem.net\/?p=3644","url":"https:\/\/zero.redgem.net\/?p=3644","name":"Cyber criminals impersonate payroll, HR and benefits platforms to steal information and funds - zero redgem","isPartOf":{"@id":"https:\/\/zero.redgem.net\/#website"},"datePublished":"2025-05-08T13:37:44+00:00","breadcrumb":{"@id":"https:\/\/zero.redgem.net\/?p=3644#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/zero.redgem.net\/?p=3644"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/zero.redgem.net\/?p=3644#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/zero.redgem.net\/"},{"@type":"ListItem","position":2,"name":"Cyber criminals impersonate payroll, HR and benefits platforms to steal information and funds"}]},{"@type":"WebSite","@id":"https:\/\/zero.redgem.net\/#website","url":"https:\/\/zero.redgem.net\/","name":"zero redgem","description":"","publisher":{"@id":"https:\/\/zero.redgem.net\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/zero.redgem.net\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/zero.redgem.net\/#organization","name":"zero redgem","url":"https:\/\/zero.redgem.net\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/zero.redgem.net\/#\/schema\/logo\/image\/","url":"","contentUrl":"","width":191,"height":188,"caption":"zero redgem"},"image":{"@id":"https:\/\/zero.redgem.net\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/zero.redgem.net\/#\/schema\/person\/fbfeae8dfad117ac08a7621bee1a1dca","name":"invoker","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","caption":"invoker"},"sameAs":["https:\/\/zero.redgem.net"],"url":"https:\/\/zero.redgem.net\/?author=1"}]}},"_links":{"self":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts\/3644","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=3644"}],"version-history":[{"count":0,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts\/3644\/revisions"}],"wp:attachment":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=3644"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=3644"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=3644"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}