Threat Spotlight: Hijacked Routers and Fake Searches Fueling Payroll Heist

ReliaQuest investigated an active SEO poisoning campaign that targeted employee mobile devices with mobile-optimized phishing sites impersonating corporate login portals to harvest credentials; stolen credentials were used to access SAP SuccessFactors and reroute employee direct deposits. The adversary leveraged Pusher for real-time exfiltration of credentials and residential/mobile proxy networks (including compromised home routers) to mask access, complicating detection and investigation. Recommendations include enforcing MFA and conditional access, using SSO/bookmarks instead of search results, monitoring direct-deposit changes, and employing digital risk protection to detect impersonating domains.