Scammers trick over half a million victims with fake Google and bing ads

The invisible paycheck thieves

We’ve all searched for a work website online instead of typing the address. That simple habit is now a trap set by clever scammers called Payroll Pirates. They use fake ads to steal workers’ paychecks and personal information.

Cybersecurity researchers estimate the campaign has lured more than 500,000 users across affected sites, according to Check Point research.

When you click their ad and log in, you hand your credentials directly to the criminals. The campaign primarily targets employees who use online payroll and HR portals and other financial login services, making it a serious risk to payroll and account security.

A top-of-the-search trap

Imagine searching for your work portal and the first result looks legitimate. Payroll Pirates pay for ads on Google and Bing to place their fake sites at the very top of search results. They specifically target employees trying to access pay stubs or work benefits.

This method is dangerously effective because it exploits our trust in major search engines. You might think you’re being efficient, but you’re walking into a carefully laid trap. The fake sites are convincing copies, making it hard to distinguish them from the real login pages you use every day.

Massive scale of the attack

The scope of this operation is truly staggering. Cybersecurity experts found that over 200 different company platforms have been impersonated so far. This is not a small-time phishing attempt targeting just one company.

Researchers estimate that more than 500,000 users were exposed to these spoofed login pages, according to Check Point. While that number represents a substantial set of victims, it does not imply a majority of the US workforce.

Bypassing your security codes

Two-factor authentication that is not phishing-resistant can be bypassed using adversary-in-the-middle phishing techniques that harvest one-time codes in real time, researchers warn.

Their advanced phishing kits can intercept your one-time codes in real time. This allows them to access your account instantly.

Your extra layer of security becomes useless against their sophisticated theft process. They designed their fake sites to prompt you for the code right after you enter your password, making it seem like a normal login procedure.

Real-time theft on Telegram

How do the criminals steal your code so quickly? Researchers observed operators using Telegram bots and channels to request one-time codes and security answers from victims in real time. The bot can message you directly, often pretending to be a security system that needs verification.

It will ask for your two-factor code or the answer to a security question. This real-time interaction makes the scam feel incredibly authentic and is very difficult for everyday users to detect as fraud.

A global hiding game

Check Point found that some redirect and white pages used to pass ad reviews were hosted via providers in Kazakhstan and Vietnam, complicating takedown efforts. They also use cloaked domains that disguise their true nature from both users and security software.

This global setup makes it incredibly difficult for authorities to track them down. Their use of multiple countries and technologies creates a robust shield against takedown attempts. They are playing a sophisticated international game with your financial security at stake.

Two heads of the same beast

Investigators initially believed they were tracking two separate criminal campaigns. One cluster used Google Ads with redirects through seemingly harmless white pages. The other relied on Bing Ads and on old, repurposed domains cloaked through services to appear legitimate.

Further analysis revealed both were part of one unified, sophisticated network. This shows a higher level of organization and funding than your average phishing group, making them more dangerous and persistent.

The human operators

Logs reviewed by Check Point showed at least four administrators managing Telegram channels tied to different target types. They separately focus on payroll platforms, credit unions, and even healthcare benefits portals.

Researchers even found one of the admins posting a video from Odessa, Ukraine. This crucial clue confirms that at least one operator is based there, putting a real location on this digital threat.

An evolving threat

The Payroll Pirates briefly went quiet near the end of 2023. They returned in mid-2024 with much more advanced tools and techniques. Their new phishing kits are better at hiding how they steal and transmit your data from security systems.

This constant refinement means they are always adapting to bypass new security measures. They demonstrate a clear commitment to evolving their methods to continue their theft uninterrupted.

Who they are impersonating

Their targets are any platforms that handle your money or sensitive data. They consistently spoof major payroll systems used by countless US companies. They also create perfect replicas of credit union websites and popular stock trading platforms.

Recently, they have expanded to fake healthcare benefits portals. Any online service connected to your finances or personal information is now a potential target for their clever impersonation attempts.

Your simple safety step

The easiest way to avoid this scam is to never search for your important login portals. Always type the website address directly into your browser’s address bar every single time. Bookmarking the genuine login page is an even safer habit that prevents any chance of error.

Be very suspicious of any site that asks for your two-factor code immediately after you just entered it. Legitimate services will seldom ask you to re-enter a code you just provided in a separate prompt.

Curious how the good guys are fighting back? See how experts are shutting down hacker operations like these.

Staying one step ahead

Cybersecurity firms are actively monitoring these pirates and their changing tactics. The scammers are constantly refining their methods to steal from anyone who receives a paycheck online. This threat is persistent and not going away anytime soon.

Staying informed about these modern dangers is your first and best line of defense. Your digital vigilance is the key to protecting your hard-earned money from these invisible thieves who want your paycheck.

Want to see how they’re evolving? Learn how scammers are now using AI to power their attacks.

Has your company warned you about these fake login sites? Share your thoughts in the comments, and stay safe out there.

Read More From This Brand:

• Hackers Target Unpatched ServiceNow Bugs
• Gmail users on high alert as Google addresses global breach warning
• McDonald’s hacker breach shows just how easy it was to grab free nuggets

Don’t forget to follow us for more exclusive content right here on MSN.

If you liked this story, you’ll LOVE our FREE emails. Join today and be the first to get stories like this one.

This slideshow was made with AI assistance and human editing.