The PhishWP WordPress plugin is well-equipped to turn legitimate shopping sites into phishing pages that capture sensitive payment and browser details.
In a smart campaign, Russian cybercriminals are turning trusted online stores into phishing pages that capture sensitive details through convincing payment interfaces.
According to a research by the cybersecurity firm Slashnext, the Russian miscreants have built a WordPress plugin, PhishWP, which creates fake payment pages that look like trusted services, such as Stripe.
“WordPress is one of the most popular web application publishing platforms that is easy to customize via plugins,” said Mayuresh Dani, manager of security research at Qualys Threat Research Unit. “Consumers and administrators alike are familiar with the WordPress interface, which makes plugins such as PhishWP a higher risk.”
According to SlashNext, information at risk includes credit card number, expiration date, CVV, billing address, and browser metadata.
Telegram for faster exfiltration
PhishWP integrates with Telegram, instantly transmitting stolen data to attackers once a victim presses “enter,” SlashNext noted in a blog post, accelerating and enhancing the efficiency of phishing attacks.
“As soon as a user enters their payment details, the plugin transmits that information directly to the attacker, via instant messaging platforms like Telegram,” said Jason Soroko, senior fellow at Sectigo. “This immediate forwarding of information equips cybercriminals with the necessary credentials to make fraudulent purchases or resell the stolen data—sometimes within minutes of capturing it.”
Attackers can either hack legitimate WordPress websites or create fake ones to install the plugin. Once set up to look like a payment gateway, it tricks users into entering their payment information.
The plugin was reportedly found to be distributed on a Russian cybercrime forum.
Advanced OTP theft
The research also revealed an added potential for the plugin to be used for more advanced theft leading to fake transactions.
According to SlashNext findings, PhishWP employs advanced tactics, such as stealing the OTP sent during a 3D Secure (3DS) check. By capturing this code, attackers can impersonate users, making their fraudulent transactions appear legitimate.
“With the OTP in hand, cybercriminals bypass one of the most critical safeguards in digital transactions, making their fraudulent activities look alarmingly legitimate to both banks and unwitting shoppers,” Soroko said. “Many people have been trained to believe that one-time passcodes (OTP) help a system to be more secure, but in this case, they are merely handing over the keys to their adversary.”
Other key features offered with the plugin include customizable checkout pages, auto-response emails, multi-language support, and obfuscation options.
