Summary:
A malicious plugin recently discovered on a Russian cybercrime forum manipulates WordPress sites into phishing pages by creating fake online payment processes that impersonate trusted checkout services. This attack masquerades as a legitimate e-commerce app like Stripe to steal customer payment data and browser metadata. The illicit service is called PhishWP and it is a WordPress plugin built by cybercriminals. PhishWP utilizes Telegram to send stolen data to attackers as soon as a victim hits “enter.” This makes phishing attacks faster and more efficient. Attackers can either compromise legitimate WordPress websites or install the plugin on fraudulent ones. After configuring the plugin, the adversary lures victims into entering their payment details. By collecting this information in real-time the malware can perform advanced tricks like stealing the special OTP code sent to the victim during the purported checkout process. Key features of PhishWP used to make the campaign effective include:

• Customizable checkout pages: Simulates payment processors like Stripe, creating highly convincing fake interfaces.
• 3DS code harvesting: Tricks victims into entering one-time passwords (OTPs) via pop-ups, bypassing authentication layers.
• Telegram integration: Instantly transmits stolen data to attackers for real-time exploitation.
• Browser profiling: Captures details such as IP addresses, screen resolutions, and user agents to replicate user environments for future fraud.
• Auto-response emails: Sends fake order confirmations to victims, delaying suspicion and detection.
• Multi-language support: Enables global phishing campaigns by accommodating multiple languages.
• Obfuscation options: Provides an obfuscated version of the plugin for stealth or source code for advanced customizations.

Security Officer Comments:
Here’s a high-level breakdown of how adversaries use PhishWP:

1. Set up on a WordPress site: Attackers either break into a trusted WordPress site or create their own fake one.
2. Copy a real payment service: They use PhishWP to make checkout pages look just like a real payment processor (like Stripe), adjusting the design and language so nothing seems off about the branding, fields, or language.
3. Lure victims in: Victims arrive at the site through carefully planned phishing emails, social media ads, or sneaky search results. Everything looks normal, so they enter their payment and personal details without a second thought.
4. Steal the data: PhishWP scoops up all the sensitive information—credit card numbers, addresses, even special security codes—and instantly sends it to the attacker, often via Telegram.
5. Cover the tracks: The victim then receives a fake confirmation email, making them believe their purchase went through. Meanwhile, the attacker uses or sells the stolen info in secret online markets.

Although the cybersecurity community is alerted often of vulnerabilities in WordPress plugins, PhishWP introduces a new kind of threat to organizations utilizing WordPress sites. This marketed phishing service can capitalize off of WordPress sites compromised by vulnerabilities in different plugins and expand their impact on operations.

Suggested Corrections:
Users should always be cautious of individuals or organizations that ask for personal information. Most companies will not ask for sensitive data from their customers. If in doubt, users should verify with the company itself to avoid any potential issues.

Users should always take a close look at the sender’s display name when checking the legitimacy of an email. Most companies use a single domain for their URLs and emails, so a message that originates from a different domain is a red flag.

As a general rule, users should not click links or download files even if they come from seemingly “trustworthy” sources.

Check for mismatched URLs. While an embedded URL might seem perfectly valid, hovering above it might show a different web address. In fact, users should avoid clicking links in emails unless they are certain that it is a legitimate link.

Users should always be on the lookout for any grammatical errors and spelling mistakes. Legitimate companies will often employ proofreaders and editors who ensure that the materials they send out are error-free.

Users should not be frightened or intimidated by messages that have an alarmist tone. They should double check with the company if they are uncertain about the status of their accounts.

Phishing emails are designed to be sent to a large number of people, so they need to be as impersonal as possible. Users should check whether the message contains a generic subject and greeting, as this can be a sign of a phishing attempt.

Although not every end user has access to advanced anti-phishing software, they can still use the built-in protection of their email clients to filter messages. One example is setting the email client to block all images unless approved.

Legitimate companies will never send confirmation emails unless there are specific reasons for doing so. In fact, most companies will avoid sending unsolicited messages unless it’s for company updates, newsletters, or advertising purposes.

Users should always take the context of an email or message into account. For example, most online accounts do away with viewable member numbers, so users should be wary if they receive emails containing a “member number” for services that generally don’t use them.

It is important to take note of unusual information in the text of the message. Any mentions of operating systems and software that are not typically used by consumers can often be indicators of a phishing attempt.

If it seems suspicious, it probably is. Users should always err on the side of caution when it comes to sending out personally identifiable information through messages and emails.

Link(s):
https://www.bleepingcomputer.com/news/security/bios-flaws-expose-iseq-dna-sequencers-to-bootkit-attacks/

https://slashnext.com/blog/phishwp-turns-sites-into-phishing-traps/