Threat actors have a particular affinity for ADP-themed attacks as it is a prime target rich with both financial data and confidential employee information. These campaigns are often strategically timed to coincide with open enrollment season, when employees expect communications related to pay and benefits.
In a recent example, an attacker leveraged a compromised personal Roadrunner/Charter email account to distribute convincing phishing messages urging recipients to act regarding their payroll and benefits details. The message was carefully crafted, polished and professional enough to appear legitimate, yet subtle enough to avoid triggering suspicion.
The link within the message led to a scammer favorite, a customized CNAME on Google’s Firebase service (*[.]web[.]app). The attackers cleverly themed the page to resemble ADP’s legitimate login portal, another step to minimize red flags. The fake page even included ADP’s logo, footer text, and privacy links, giving it an air of authenticity despite being hosted outside ADP’s domain.
To evade security crawlers and link-scanning tools, the fake portal’s source code was heavily obfuscated using random variable names, hex, and URL encoding. This technique helps the phishing page stay active longer and hide its true data theft routines. Once credentials are entered, they are likely exfiltrated to a remote collection server or sold on underground markets.
The campaign demonstrates how attackers exploit predictable corporate cycles such as open enrollment to increase success rates. By aligning their lures with legitimate HR themes and using trusted hosting platforms like Firebase, threat actors can bypass many automated defenses and reach end users directly. Organizations should remind employees to access ADP and HR systems by typing the URL directly rather than clicking links in emails, especially during enrollment season.
