The relentless battle against online fraud is a constant evolution, a digital chase where security teams and malicious actors continually adapt. The increasing sophistication of attacks is blurring the lines between legitimate user behavior and impersonation attempts. The campaign we are exposing today is a reminder that even the most advanced security technologies do not dissuade threat actors. We discovered a new phishing kit targeting payroll and payment platforms that aims to not only steal victims' credentials but also to commit wire fraud. Our investigation began with a fraudulent search ad for Deel, a payroll and human resources company. Clicking on the ad sent employees and employers to a phishing website impersonating Deel. Beside stealing usernames, passwords and circumventing two factor authentication, we identified malicious code capable of performing additional nefarious actions unbeknownst to the victim. Using a fully authenticated web worker, this phishing kit is using a legitimate hosted web service called Pusher with the intent of manipulating sensitive profile data fields related to banking and payment information. While we were working this case, the FBI issued a public service announcement (PSA250424) warning people that cyber criminals are using search engine advertisements to impersonate legitimate websites and expanded to target payroll, unemployment programs, and health savings accounts with the goal of stealing money through fraudulent wire…Read More