A sophisticated phishing campaign targeting employee and member portals has been detected, employing server-side validation techniques to evade detection.
The attackers are using PHP-based phishing kits to steal credentials through cloned login pages, with infrastructure traced to Chang Way Technologies Co. Limited in Russia.
The operation was identified through an investigation that started with observations from Malwarebytes and Silent Push researchers who reported on similar attacks targeting Lowe’s employees.
Using the HuntSQL Crawler dataset, researchers constructed targeted queries that revealed multiple phishing domains containing references to “xxx.php” within HTML and “/online” in URL paths.
One notable domain, myinfoaramapay[.]com, was found impersonating Aramark’s MyAccess portal.
The phishing page created a near-identical replica of the legitimate site, capturing credentials and redirecting victims to the actual Aramark Single Sign-On page.
Unlike previous variants that performed client-side validation, the updated attack infrastructure has moved credential validation server-side via a “check.php” endpoint.
Advanced 2FA Bypass Techniques Observed
The threat actors have implemented sophisticated techniques to bypass two-factor authentication. A domain impersonating Highmark healthcare (hignmarkedmemb[.]com) was observed with enhanced functionality that simulates a complete 2FA workflow.
This variant utilizes Material Design styling to replicate enterprise UI frameworks and employs JavaScript-controlled OTP submission through a “getUpdates2fa()” function, representing a significant evolution in the attackers’ tactics.
After credentials are submitted, the script polls the check.php endpoint every second to validate credentials server-side.
According to Hunt researchers, this server-side validation approach significantly hinders detection by security tools and researchers by obscuring key detection points previously relied upon by defenders.
The phishing infrastructure hosts at least 12 domains on IP address 80.64.30[.]101, targeting organizations including AT&T, AFLAC, and various corporate portals.
A second server at 80.64.30[.]100 hosts additional malicious domains impersonating Canadian E-Services, United Airlines employee portals, and other enterprise login templates.
The primary hosting infrastructure has been traced to Chang Way Technologies Co. Limited (AS57523), a Hong Kong-registered ASN previously associated with malware distribution and exploitation activities.
Security teams should monitor for POST requests to suspicious PHP scripts such as xxx.php and check.php, particularly when paired with domains mimicking enterprise portals.
The targeting of employee portals suggests the attackers are focused on gaining initial access to corporate environments, where stolen credentials can be leveraged for internal pivoting and account abuse often before security alerts are triggered.
Organizations should implement additional authentication safeguards and monitor for the specific request patterns described, particularly those containing “type=3” parameters indicating potential OTP phishing attempts.
This campaign demonstrates how threat actors continue to evolve their techniques to circumvent security measures, shifting from client-side to server-side validation to enhance stealth and persistence in their operations.
Indicators of Compromise (IOCs)
Key IP addresses include 80.64.30[.]100 and 80.64.30[.]101, hosting numerous phishing domains including forurbestexper[.]com, hignmarkedmemb[.]com, and attdomhomepage[.]com.
Additional domains served through Cloudflare (104.21.32[.]181, 172.67.153[.]52) include myinfoaramapay[.]com and charterssonidp[.]com.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates
