Chiffon Herring Linked to New Payroll Diversion Attacks

Setting the hook to divert funds

• The general structure of an attack from this group is similar to many other payroll diversion attacks.
• As part of the attack, the attackers pose as non-executive employees, such as teachers and professors, and send emails to the department head at a university or office staff at a school district.
• The emails indicate that the impersonated teacher has recently changed to new banks and needs to update their direct deposit information. To create a sense of urgency, the email also mentions that the previous account will become inactive before the next payday.
• In addition to spoofing teacher email addresses, the analysis reveals that Chiffon Herring also leverages GoDaddy infrastructure to send the attacks. 

Green Dot Bank used to divert funds

• In almost all of these attacks, Chiffon Herring provides banking details of Green Dot Bank to redirect the funds.
• The accounts under these banks are relatively easy to open and are mostly linked to prepaid cards. 
• Prepaid cards are commonly used in payroll diversion attacks to receive direct deposits up to 48 hours before a payday. In this way, the threat actors can have access to diverted funds for several days before the targeted victim even realizes anything is wrong.

Staying safe