Cybercriminals Target Deel, Shopify, Marqeta, OmniFlex in Advanced Google Ads Phishing Scam

• Fraudulent campaigns impersonating payroll, HR, and billing platforms target Deel, Shopify, Marqeta, and OmniFlex.
• Key elements of the phishing campaigns include fraudulent Google ads leading to fake websites and 2FA exploitation.
• The FBI issued a public warning against these scammers who look to gain unauthorized access and redirect funds.

Cybercriminals are advancing their tactics, deploying sophisticated phishing kits to impersonate payroll, human resources, and benefits platforms. These campaigns exploit search advertisements to lure victims into credential theft and wire fraud.

The fraudulent campaigns impersonate payroll, HR, and billing platforms like Deel, Shopify, Marqeta, and OmniFlex (Worldpay) to gain unauthorized access and redirect funds.

Malwarebytes researchers released an analysis describing a phishing campaign targeting the Deel payroll and HR company. The attackers deployed fraudulent Google search ads for “Deel login,” redirecting users to replica websites of Deel. 

These fake sites prompted users to enter their credentials and security codes, bypassing two-factor authentication (2FA). 

This scheme doesn’t stop at stealing credentials. Using advanced techniques, including malicious JavaScript libraries, the attackers manipulate banking and payment information associated with the victim's accounts. 

A significant component of this phishing kit is the use of Pusher web services, enabling real-time data manipulation.

Cybercriminals placed misleading ads that appeared above genuine search results for Deel, redirecting victims to phishing domains. These mimic Deel’s login pages but disable secure login options like Google Authentication, forcing users to enter credentials manually.

While 2FA is a critical security measure, attackers exploit it by intercepting the OTP (one-time password) to gain complete access.

The phishing kit employs obfuscated JavaScript libraries, such as kel.js and Worker.js, which are designed to interact with the Deel platform in real-time while simultaneously extracting user data unseen.

Notably, the attackers use advanced techniques like domain spoofing with modified subdomains, obfuscating their presence, and bypassing ad filters. Key phishing indicators include domains such as:

• login-deel[.]app
• accuont-app-deel[.]cc
• maqreta[.]com
• admin-shopffy[.]cc

A recent FBI Public Service Announcement (PSA) highlights the increase in phishing scams targeting payroll systems, unemployment accounts, and more. The Bureau emphasizes vigilance in verifying URLs before entering sensitive data and warns businesses to monitor for brand impersonation.

Currently, a lawsuit alleges Deel placed a spy in competitor Ripple as part of an extensive trade-secret theft and corporate espionage operation.