

A report released today by phishing protection company SlashNext Inc. warns of a dangerous new WordPress plugin that is being used by cybercriminals to turn legitimate websites into phishing traps.
Called PhishWP, the WordPress plugin is being distributed on a Russian cybercrime forum and allows attackers to create highly convincing fake payment pages, mimicking trusted services such as Stripe, to steal sensitive user information such as credit card details, onetime passwords and browser metadata in real-time.
PhishWP works by allowing attackers to compromise legitimate WordPress websites or set up fraudulent ones to host the plugin. Once installed, the plugin is configured to replicate trusted payment gateways such as Stripe and create fake checkout pages that are nearly indistinguishable from the real thing. The convincing interfaces lure unsuspecting users into providing sensitive information, believing they’re engaging with a secure, legitimate site.
Fake storefronts aren’t new, but PhishWP takes the old idea further with an ability to harvest 3D Secure authentication codes, a layer of protection used during online transactions. When users enter their onetime password into the fake payment page, the plugin captures the code in real time, allowing the attackers to bypass authentication measures and complete fraudulent transactions while maintaining the appearance of legitimacy.
The plugin also offers Telegram integration to instantly transmit stolen data to the attackers. The real-time communication is noted by the SlashNext researchers to enable threat actors to exploit the information immediately and, in doing so, reduce the window of opportunity for victims or security systems to detect and respond to the breach.
PhishWP includes browser profiling to gather additional metadata, such as IP addresses, screen resolutions and user agents. The additional information gathered allows attackers to replicate user environments for future fraud attempts, evade detection and make their activities appear legitimate to security systems.
To further cover its tracks and to avoid raising suspicion, PhishWP additionally sends victims fake confirmation emails after their information is stolen. The emails make it appear to victims that the transaction was successful, giving the attackers more time to exploit the data or sell it on dark web marketplaces.
The researchers conclude by emphasizing the need for phishing protection against risks such as PhishWP. WordPress users should also be on the lookout for any compromises of their sites and strange-looking plugins appearing in their WordPress installs.
Support our open free content by sharing and engaging with our content and community.
Where Technology Leaders Connect, Share Intelligence & Create Opportunities
SiliconANGLE Media is a recognized leader in digital media innovation serving innovative audiences and brands, bringing together cutting-edge technology, influential content, strategic insights and real-time audience engagement. As the parent company of SiliconANGLE, theCUBE Network, theCUBE Research, CUBE365, theCUBE AI and theCUBE SuperStudios — such as those established in Silicon Valley and the New York Stock Exchange (NYSE) — SiliconANGLE Media operates at the intersection of media, technology, and AI. .
Founded by tech visionaries John Furrier and Dave Vellante, SiliconANGLE Media has built a powerful ecosystem of industry-leading digital media brands, with a reach of 15+ million elite tech professionals. The company’s new, proprietary theCUBE AI Video cloud is breaking ground in audience interaction, leveraging theCUBEai.com neural network to help technology companies make data-driven decisions and stay at the forefront of industry conversations.