Cyber Security News

Server-Side Phishing Attacks Target Employee and Member Portals to Steal Login Credentials

Attackers have been deploying server-side phishing schemes to compromise employee and member login portals across various enterprises.

This strategic shift to server-side operations is designed to evade detection and complicate analysis.

Evolving Phishing Techniques

Recent investigations have highlighted a marked evolution in the tactics employed by phishing campaigns.

Traditional methods relied on client-side redirects to validate stolen credentials, but the current setup leverages server-side checks to do so.

According to the Hunt, this change was noted when researchers, after identifying an initial attack vector through a Google Ads malvertising campaign targeting Lowe’s employees, expanded their search to uncover similar phishing operations.

Using sophisticated tools like HuntSQL, a targeted query within the crawler dataset helped pinpoint pages exhibiting the new server-side behavior.

A notable example includes the domain myinfoaramapay[.]com, which closely mimics Aramark’s legitimate employee access portal but with subtle alterations like the removal of the virtual assistant feature.

Server-Side Phishing Attacks Server-Side Phishing Attacks
Screenshot of the phishing page at myinfoaramapay[.]com.

Technical Analysis

Further analysis revealed that once credentials are entered into these fraudulent sites, JavaScript codes capture the data and submit it to a PHP backend script, xxx.php.

Instead of immediate client-side validation, these scripts now trigger a new endpoint, check.php, to verify credentials server-side. This includes:

  • Immediate redirection to a legitimate login page upon successful verification.
  • An alert and page refresh if credentials are incorrect.
  • Silent polling if the server does not respond.

This backend logic significantly reduces the visibility of the phishing flow, making it harder for defenders to detect and analyze the attack.

In examining the infrastructure, which is hosted by Chang Way Technologies Co. Limited in Russia, researchers identified multiple domains on IP 80.64.30[.]101, including those mimicking major corporations like AT&T and AFLAC.

An intriguing aspect is the use of a decoy website “Technology Pharmacy CVS” directly accessible via the IP, which could be an attempt to misdirect investigations or appear legitimate to service providers.

Defenders are urged to monitor for unusual POST requests to scripts like xxx.php and check.php, especially from domains resembling enterprise login pages.

Malicious login page impersonating Highmark.

Also, observing for traffic with specific parameters that might indicate secondary authentication attempts or server-side credential validation could provide early detection of such phishing attempts.

This ongoing campaign underscores the need for vigilance and updated security measures, particularly in environments where two-factor authentication is in play yet still susceptible to these sophisticated phishing techniques.

Indicators of Compromise (IOCs)

IP AddressDomainHostingLocation
80.64.30.100ipafranchest.comCloudflareRussia, US
80.64.30.101lawpaymentpw.liveChang Way Technologies Co. LimitedRussia, US
104.21.32.181(Refer to full report)CloudflareRussia, US
172.67.153.52(Refer to full report)Chang Way Technologies Co. LimitedRussia, US
104.21.20.29(Refer to full report)CloudflareRussia, US
172.67.191.1(Refer to full report)Chang Way Technologies Co. LimitedRussia, US

Find this News Interesting! Follow us on Google NewsLinkedIn, & X to Get Instant Updates!

Aman Mishra

Aman Mishra is a Security and privacy Reporter covering various data breach, cyber crime, malware, & vulnerability.

Recent Posts

MATLAB, Serving Over 5 Million Users, Hit by Ransomware Attack

MathWorks, the renowned developer of MATLAB and Simulink, has been grappling with the aftermath of…

40 minutes ago

CISA Publishes ICS Advisories Highlighting New Vulnerabilities and Exploits

On May 27, 2025, the Cybersecurity and Infrastructure Security Agency (CISA) released a new Industrial…

1 hour ago

Chrome Security Patch Addresses High-Severity Vulnerabilities Enabling Code Execution

The Chrome team at Google has officially released Chrome 137 to the stable channel for…

2 hours ago

Zero-Interaction libvpx Flaw in Firefox Allows Attackers to Run Arbitrary Code

Mozilla has released Firefox 139, addressing several critical and moderate security vulnerabilities that posed significant…

3 hours ago

INE Security And RedTeam Hacker Academy Announce Partnership To Advance Cybersecurity Skills In The Middle East

INE Security, a global cybersecurity training and certification provider, today announced a strategic partnership with…

3 hours ago

Threat Actors Use Fake DocuSign Notifications to Steal Corporate Data

DocuSign has emerged as a cornerstone for over 1.6 million customers worldwide, including 95% of…

18 hours ago