New WordPress Plugin That Weaponizes Legit Sites To Steal Customer Payment Data

Cybercriminals have developed PhishWP, a malicious WordPress plugin, to facilitate sophisticated phishing attacks, which enable attackers to create convincing replicas of legitimate payment gateways, such as Stripe, on compromised or fraudulent WordPress websites. 

By seamlessly integrating with Telegram, PhishWP facilitates real-time data exfiltration, including credit card details, personal information, and even 3DS authentication codes. 

This allows attackers to bypass security measures and execute fraudulent transactions with increased efficiency, posing a significant threat to online users and businesses alike.

In order to steal user information during online transactions, a malicious WordPress plugin known as PhishWP uses a variety of deceptive strategies. 

By mimicking legitimate payment gateways, it harvests card details and 3DS codes through convincing interfaces. Integrated with Telegram, it immediately relays stolen information to attackers. 

It also profiles user environments and sends automated confirmation emails to lull victims into a false sense of security.

Multi-language support and obfuscation options enhance its versatility and stealth, enabling widespread and sophisticated phishing campaigns.

According to SlashNext, an attacker leverages PhishWP to create a fraudulent e-commerce site offering discounted products, which replicates Stripe payment pages, including 3DS authentication pop-ups. 

When users enter their payment and personal information without realizing it, the plugin secretly sends this sensitive data, including one-time passwords, to the attacker’s Telegram account.

This real-time data stream allows the attacker to quickly initiate unauthorized transactions or sell the stolen information on the dark web, causing significant financial and reputational harm to victims and businesses.

Attackers use PhishWP to compromise WordPress sites by breaching existing ones or creating fraudulent replicas.

These replicas are designed to mimic legitimate payment gateways, such as Stripe, replicating their visual design and language.

Victims are tricked into visiting these deceptive sites through targeted phishing campaigns, leading them to unknowingly enter sensitive financial and personal information into fake checkout pages.

PhishWP captures critical data, such as credit card details and security codes, and immediately transmits it to the attacker via channels like Telegram.

To maintain the illusion of a successful transaction, victims receive fraudulent confirmation emails, while the attackers exploit or monetize the stolen data within illicit online marketplaces.

ANY.RUN Threat Intelligence Lookup - Extract Millions of IOC's for Interactive Malware Analysis: Try for Free