PhishWP, a malicious WordPress plugin, exploits familiar payment interfaces like Stripe to deceive users into entering their credit card details, OTPs, and billing addresses on a fake checkout page.
By compromising sensitive financial information, this sophisticated phishing attack makes it possible for unauthorized access to be gained, which could result in financial loss.
It creates fraudulent payment pages resembling legitimate services like Stripe and steals user data, including credit card information, and transmits it to attackers via Telegram, enabling rapid and efficient exploitation of victims through compromised or newly created WordPress websites.
The malware steals sensitive user data, including 3DS OTPs, directly from WordPress websites, which allows attackers to bypass security measures and execute fraudulent transactions, posing as legitimate users.
PhishWP effectively phishes by creating realistic checkout pages, harvesting 3DS codes through deceptive pop-ups, instantly transmitting stolen data via Telegram, and profiling user environments to enhance future fraudulent activities.
It facilitates sophisticated phishing attacks by enabling realistic fake order confirmations, supporting multiple languages for global reach, and offering obfuscation techniques to evade detection, ultimately stealing sensitive data from unsuspecting victims.
The use of PhishWP by an attacker allows for the creation of a fraudulent e-commerce website that provides substantial price reductions, and by mimicking Stripe payment pages and 3DS authentication, the attacker tricks users into entering sensitive payment information and OTPs, ultimately stealing their financial data.
The plugin exfiltrates sensitive data, including card details and OTPs, to the attacker’s Telegram account via real-time transmission, which is subsequently exploited for fraudulent transactions or sold illicitly on dark web marketplaces.
Attackers exploit WordPress sites, either compromised or fabricated, to deploy PhishWP, which replicates legitimate payment service interfaces mimicking their visual and textual elements to deceive users into entering sensitive financial data on fraudulent checkout pages.
According to Slash Next, PhishWP is a fraudulent website that uses social engineering techniques to trick victims into visiting websites that have been compromised.
Upon entry, the malware discreetly exfiltrates sensitive user data, including financial and personally identifiable information, and transmits it to the attacker’s command-and-control server via a secure channel, typically Telegram.
The attacker crafts a phishing email, tricking the victim into revealing sensitive information and then generates a fraudulent confirmation email to deceive the victim. The stolen data is subsequently exploited or sold illicitly within underground online marketplaces.