PhishWP, a newly discovered WordPress plugin, is being used by cybercriminals to maliciously convert legitimate websites into phishing traps, putting user data at risk.
Cybercriminals created the WordPress plugin PhishWP. It generates fake payment pages that closely resemble legitimate providers like Stripe.
Threat actors use it to steal sensitive data, including browser metadata, credit card details, and personal information.
Additionally, PhishWP integrates with Telegram, allowing attackers to access stolen data as soon as a victim presses “enter.” This increases the speed and effectiveness of phishing attacks.
How do Attackers use PhishWP?
Attackers can either compromise legitimate WordPress sites or create fraudulent ones to install them. Unaware users are tricked into providing their payment information after the plugin is set up to look like a payment gateway.
PhishWP creates incredibly realistic fake interfaces by simulating payment processors like Stripe with customizable checkout pages.
Investigate Real-World Malicious Links, Malware & Phishing Attacks With ANY.RUN – Try for Free
Through skillfully crafted phishing emails, social media advertisements, or deceptive search results, victims find their way to the website.
Following the entry of payment and personal data, PhishWP instantly sends all sensitive information, including addresses, credit card details, and even unique security codes, to the attacker, usually via Telegram.
A fake confirmation email is then sent to the victim, leading them to feel their transaction was successful. In the meantime, the attacker sells or uses the stolen data on underground web marketplaces.
“PhishWP uses advanced tricks, like stealing the special OTP sent during a 3D Secure (3DS) check during the checkout process”, SlashNext said in a report shared with Cyber Security News.
3DS is a security feature that sends a short code to the user’s phone or email to verify that they are the actual cardholder.
By obtaining this code, attackers can impersonate users and make their fraudulent transactions appear entirely legitimate.
It stops sending fake order confirmations to victims, delaying suspicion and detection.
Additionally, it supports many languages, allows for worldwide phishing campaigns, and offers source code for more sophisticated customizations or an obfuscated version of the plugin for stealth.
To mimic user environments for future fraud, it records information, including IP addresses, screen resolutions, and user agents.
Therefore, it is more crucial than ever to remain vigilant and use robust security technologies. Advanced browser-based phishing protection tools are advised for quick threat identification and blocking.
Find this News Interesting! Follow us on Google News, LinkedIn, and X to Get Instant Updates!