Russian cybercriminals have developed a malicious plug-in that has been discovered on a Russian cybercrime forum, which has the capability to turn WordPress sites into convincing phishing pages. This plug-in, known as PhishWP, impersonates trusted checkout services like Stripe, tricking users into entering their payment information which is then stolen by the cybercriminals. The researchers at SlashNext, who uncovered this deceptive plug-in, outlined the sophisticated features that make it particularly dangerous for unsuspecting victims who may fall prey to its tactics.
In a recently published report, SlashNext researchers revealed that PhishWP not only duplicates legitimate payment processes to appear authentic but also includes a feature that allows users to create one-time passwords (OTPs) during transactions, adding an extra layer of perceived security. However, instead of completing the payment process, the plug-in captures sensitive data such as credit card details, CVVs, and billing addresses, sending this information directly to a Telegram account managed by the cybercriminals. This method of data theft occurs in real-time, allowing threat actors to exploit the stolen information almost immediately for their illicit purposes.
According to SlashNext security researcher Daniel Kelley, PhishWP’s design is specifically crafted to deceive users into thinking that their transactions are safe and secure while providing cybercriminals with the necessary information to conduct fraudulent activities. By swiftly obtaining sensitive credentials, cybercriminals can quickly make unauthorized purchases or sell the stolen data to other malicious actors for profit, underscoring the plug-in’s efficiency in carrying out cybercrimes.
Additional functionalities of PhishWP include OTP hijacking, customizable checkout pages that replicate common payment processes, and browser profiling to gather user data beyond payment details. This comprehensive approach enables attackers to not only capture financial information but also generate false order confirmations through auto-response emails, delaying any suspicion of fraudulent activities. Furthermore, the integration of PhishWP with Telegram facilitates the instant transmission of stolen data to cybercriminals in real-time, enhancing their ability to exploit the acquired information efficiently.
The plug-in also offers an obfuscated version for stealthy operations and enables users to customize its source code for advanced attacks. With multilanguage support, cybercriminals can target victims globally, expanding the scope of their illicit activities across different regions. This versatility and adaptability make PhishWP a potent weapon in the hands of threat actors seeking to exploit vulnerabilities in WordPress sites for financial gain.
The widespread popularity of WordPress has made it a prime target for cyberattackers, who leverage malicious plug-ins like PhishWP to conduct e-commerce phishing campaigns on a massive scale. With millions of websites using WordPress as their platform, the attack surface is vast, providing ample opportunities for cybercriminals to infiltrate sites and deceive unsuspecting users. To mitigate the risks associated with such threats, SlashNext recommends deploying browser-based phishing protection that can proactively detect and block phishing sites before users are exposed to malicious content.
By integrating real-time threat detection capabilities within browsers, users can safeguard their online transactions and personal information from potential phishing attacks. These solutions offer an additional layer of security that complements traditional security measures, ensuring a more comprehensive defense against evolving cyber threats. As cybercriminals continue to develop sophisticated tactics like PhishWP, implementing robust protection mechanisms becomes essential for safeguarding online activities and preventing financial losses due to fraudulent activities.