New PhishWP plugin facilitates advanced scams targeting payment pages

A new dangerous malware identified as a WordPress plugin named PhishWP. This malware has been used by cyber attackers to create fake payment pages that mimic legitimate services like Stripe, enabling the theft of sensitive financial and personal data.

According to researchers from SlashNext circulating on a Russian cybercrime forum, PhishWP allows attackers to create convincing payment interfaces, enabling them to capture credit card details, billing addresses, and even one-time passwords (OTP) from victims. After the information is entered, PhishWP sends the stolen data directly to the attacker via Telegram, often in real time.

Cyber attackers are able to use PhishWP on existing WordPress sites or create fake sites. The design of this plugin is very similar to trusted payment gateways, making it difficult for users to detect the fraud.

Powerful Tools for Cyber Attackers

PhishWP offers a variety of powerful features that are highly beneficial for cyber attackers. In addition, this plugin can create a payment page that is very similar to the original page, which mimics legitimate payment processors, collects one-time passwords (OTP) to bypass security measures, and sends the stolen data directly to the attacker via Telegram.

Mayuresh Dani, security research manager at Qualys, revealed that in one case, where the user had activated the 3DS request, PhishWP also included a 3DS code pop-up to ensure this information was also captured by the perpetrator. The data sent to the perpetrator includes the user’s IP address, browsing information, and credit card information.

And to ensure that the attacker has time to use the stolen information, the plugin also includes functionality that sends a confirmation email to the victim with their order details. […] It is this functionality that makes PhishWP a very successful information thief.

In addition, this malware creates browser information profiles, sends deceptive confirmation emails, supports multiple languages for global campaigns, and even includes a disguise option to hide its true purpose.

How PhishWP works

An example of an attack using PhishWP involves an attacker creating a fake e-commerce site with heavily discounted products.

The victim entered their card details and OTP on a fake payment page, unaware that the data was directly sent to the attacker’s Telegram account. The stolen information is then used for unauthorized transactions or sold on the dark web.

To protect yourself from threats like PhishWP, experts recommend using advanced browser-based phishing protection tools. These solutions provide real-time threat detection, block harmful URLs in all major browsers, and identify phishing attempts before sensitive data can be compromised.

Source:
https://www.darkreading.com/threat-intelligence/phishwp-plugin-hijacks-wordpress-e-commerce-checkouts
https://www.infosecurity-magazine.com/news/phishwp-plugin-enables-payment/