A WordPress plugin designed to facilitate phishing of online shoppers has emerged on Russian cybercrime forums, SlashNext reported Monday.
The plugin, known as PhishWP, steals credit card information, browser data and more as victims are tricked into completing a payment process on a malicious or compromised shopping page. The phishing pages imitate those displayed by familiar, trusted payment services like Stripe.
Attackers may install the plugin on their own WordPress site or on a legitimate WordPress site they have compromised, and a Telegram integration feature enables them to receive stolen data in a Telegram chat in real time.
In addition to swiping credit card details, the plugin also uses a pop-up window to retrieve a one-time password used for 3D Secure (3DS) authentication — a method similar to two-factor authentication in which the one-time password is sent to the user’s phone or email in order to verify the cardholder’s identity.
PhishWP furthers the attacker’s ability to impersonate the victim for fraudulent purchases through the 3DS code theft and through the collection of browser information like IP address and screen resolution.
While one-time passwords for 3DS checks typically change every few minutes, the plugin’s use of Telegram instant message integration could assist attackers in speedily leveraging these codes.
“This immediate forwarding of information equips cybercriminals with the necessary credentials to make fraudulent purchases or resell the stolen data — sometimes within minutes of capturing it,” Jason Soroko, senior fellow at Sectigo, commented in an email to SC Media.
SlashNext’s blog post detailing PhishWP shows a screenshot of the phishing-as-a-service tool being advertised on a Russian cybercrime forum, which was not named in the post, in November 2024. The seller also offered the option of a stealthier obfuscated version of the plugin or access to its source code for more advanced customization, according to SlashNext.
Other features of the plugin include support for multiple languages and the automatic sending of order confirmation emails to victims in order to reduce suspicions about the compromised payment process.
WordPress websites are frequently targeted for compromise, with malicious plugins or exploitation of vulnerabilities in legitimate plugins being popular entryways for attackers. Compromised shopping sites can be leveraged to intercept transactions and promote fake product listings, as seen in the “Phish ‘n’ Ships” scheme uncovered by HUMAN’s Satori Threat Intelligence and Research team in October 2024.
Even without compromising another site, attackers could still use PhishWP by creating their own WordPress sites with fake product listings and promoting them through methods like spam email, social media ads or SEO poisoning, SlashNext noted. Advertising high demand, hard to find and/or heavily discounted products are common methods that online shopping scams use to trick victims into submitting their payment information.
