'Phishing' Sites Buying Workplace Login Details Linked to Well-Funded Startup

Earlier this year, workers across the country received a tantalizing email from an organization called Workplace Unite: provide us with your workplace login credentials, and we'll pay you a neat $500. Not only that, but Workplace Unite would also keep paying the recipients $25 a month as long as the login credentials continued to work. Other sites with similar names and branded websites such as "Workers Unite" offered a one time payment of $100.

"Workplace Unite aims to maximize the personal value of every worker's data," a message on one of the sites reads. "We are looking for people who work (or used to work) at various companies to join our paid beta program and share their work experience with us. This knowledge sharing will aid us at building a new tool which will put every worker in charge of their own personal data."

Some of the sites said that people providing their payroll account credentials would let them see how much they earn compared to their peers. But this access also lets whoever is harvesting all of these credentials to get that sort of visibility at scale, potentially monitoring the salaries or pay of different roles across various industries.

Behind the cute marketing was what appeared to be a potential security and legal issue. An employee providing access to their current or past employer's payroll infrastructure without authorization could fall afoul of the U.S.'s hacking laws. But interestingly, those emails and sites offering payment for login details are clearly linked to a startup called Argyle which recently raised $20 million in funding, according to analysis from security researchers and Motherboard.

Motherboard verified that multiple examples of the suspicious domains like Workers Unite offering payment make HTTP requests either to the main Argyle site or to other applications that mention Argyle in their calls, indicating a connection between the pages and Argyle itself.

Argyle, a New York City-based data broker, claims to provide clients valuable insights by acting as a "gateway to access employment records," and says it has some 40 million records. Argyle's public A Round funding memo says that the company "maintains a live data feed to the systems these employers use to manage employment records, and provides a normalized data set so that businesses can make use of employment data in a way that is simple yet impactful."

In short, Argyle collates payroll and employment history, and then provides access to that for clients.

Argyle's $20 million in funding comes from Bain Ventures, Bedrock, F-Prime, and Checkr, according to Argyle's website.

"By removing the barriers between workers, employment records, and the companies who want to access those records, Argyle has reimagined how industries can use employment data," Shmulik Fishman, Argyle's CEO and cofounder, told non-profit Efma in January.

Questions about where at least some of that data was coming from started in March, when security researcher Kevin Beaumont tweeted screenshots of what he said was a "really crazy bit of phishing targeting companies across the U.S."

"Workplace Unite [...] is our proprietary platform which provides workers with universal access to their income and work data and allows workers to control who uses this data, how and when," one of the solicitation messages read. It then explicitly asked readers to share login credentials for their employer accounts.

"By participating in the Program, you agree to provide us with your Credentials, so that we can access your Work Account(s) for the purpose of running compatibility tests with the Work Accounts to further improve Workplace Unite. In exchange, we will pay you in accordance with these Terms," one adds.

Other researchers found more similar domains. William Thomas, security researcher at threat intelligence firm Cyjax, tweeted some of his findings at the time, and more recently provided Motherboard with a spreadsheet of the domains he uncovered.

The exact contours of the sites’ relationship to Argyle—whether Argyle is running the sites itself to gather data, or whether the sites belong to an Argyle client, for instance—are unclear. As well as the HTTP calls to Argyle, Motherboard found that at least some of the suspicious websites contain identical language as profiles describing Argyle online.

Workersunite.org, one of the domains flagged by researchers, says it "aims to maximize the personal value of every worker's data." The Crunchbase profile for Argyle says the company "aims to maximize the personal value of every worker's data."

Motherboard sent multiple emails to Argyle's main press inbox last week and Monday, and emailed two people listed on company press releases as public relations contacts for the company. One of those said they no longer worked with Argyle, but had forwarded our request to Argyle's founders and the company's marketing lead. Motherboard asked in each request for comment whether Argyle operated the domains at any point in time, or whether they were operated on behalf of Argyle. Argyle itself did not respond to any of Motherboard's emails.

After Beaumont and others tweeted about the sites offering payment, they went offline.

Some of the sites mention specific companies too.

"J.P. Morgan Chase workers beta group," one page read according to a screenshot posted by Thomas. "Successful applicants receive $100 reward." Other pages named T-Mobile, insurance firm The Hartford, and Amazon.

Neither J.P. Morgan Chase, Amazon, or T-Mobile responded to questions asking if any of their employees had provided login credentials to the page. The Hartford acknowledged a request for comment but stopped responding to follow-up messages.

Motherboard found many of the domains have corresponding Facebook Pages, sometimes with thousands of likes.

"Compare your wage against peers anonymously and see where do you rank!" an image uploaded to one of the Facebook groups reads.

Generally speaking, employees do not have blanket authorization to share or do what they wish with their corporate login credentials, either for past or current jobs. In 2013, journalist Matthew Keys was indicted for providing members of Anonymous with login credentials for the Tribune Company; hackers then used those credentials to deface the Los Angeles Times' website. Keys was sentenced to two years in prison. In another case, Christopher Correa, a former executive for the baseball team the Cardinals, was sentenced to four years in prison for logging into a Cardinals system by using a password from his former employer.

Subscribe to our cybersecurity podcast CYBER, here.