New PhishWP Plugin on Russian Forum Turns Sites into Phishing Pages

****SUMMARY****

• Sophisticated Phishing Tool: Russian cybercriminals created a WordPress plugin, PhishWP, to mimic legitimate payment pages and steal sensitive data like credit card details, CVVs, and 3DS OTPs.

• Real-Time Data Exploitation: PhishWP transmits stolen information directly to attackers via Telegram, enabling immediate unauthorized use or sale on the dark web.

• Advanced Features: The plugin offers customizable fake checkout pages, browser profiling, 3DS code pop-ups, and auto-response emails to deceive users and bypass security measures.

• Global Impact: Multi-language support and obfuscation features allow attackers to launch targeted phishing campaigns worldwide, leading to financial losses and data breaches.

• Mitigation Strategies: Users are urged to implement phishing protection tools, maintain vigilance, and adopt proactive cybersecurity measures to combat these threats effectively.

Online transactions have become an integral part of our lives in the digital age. We rely on the Internet for everything from shopping and banking to social interactions. However, this convenience comes at a price as cybercriminals exploit users’ trust to obtain sensitive data.

The cybersecurity firm SlashNext has discovered one such threat. According to their research, which was shared with Hackread.com ahead of its publication on Monday, Russian cybercriminals have created a new WordPress plugin, PhishWP, to create fake payment pages. Instead of processing payments, they steal credit card numbers, expiration dates, CVVs, and billing addresses.

PhishWP creates deceptively realistic online payment pages that mimic legitimate services like Stripe. These fake pages lure unsuspecting users into entering their credit card details, expiration dates, CVV codes, and even the crucial one-time passwords (OTPs) used for 3D Secure authentication.

In its blog post, SlashNext outlined an attack scenario where an attacker creates a fake e-commerce website using PhishWP and replicates Stripe payment pages. Users are directed to a fake checkout page, where a 3DS code pop-up requests an OTP, which users unknowingly provide. The plugin transmits collected information to the attacker’s Telegram account, allowing them to exploit data for unauthorized purchases or sell it on dark web marketplaces.

This means that the sophisticated plugin goes beyond simply collecting data; it integrates with platforms like Telegram, enabling real-time transmission of stolen information directly to the attackers, maximizing the potential for immediate exploitation.

Furthermore, the plugin leverages advanced techniques like 3DS code harvesting, where it tricks victims into entering OTPs via pop-ups, effectively bypassing security measures designed to verify cardholder identity.

To enhance its effectiveness, PhishWP offers several key features, including customizable checkout pages that closely resemble legitimate payment interfaces, browser profiling capabilities to create attacks as per the specific user environments, and auto-response emails that create a false sense of security in victims. By combining these features with multi-language support and obfuscation options, attackers can launch highly targeted and evasive phishing campaigns on a global scale.

Screenshot from the Russian hacker forum (Via SlashNext)

Researchers note that PhishWP is a powerful tool that allows cybercriminals to conduct phishing attacks with utmost sophistication, causing significant financial losses and personal data breaches.

To mitigate these risks, it is essential to use reliable security measures, such as browser-based phishing protection tools, which provide real-time defence against malicious URLs and prevent users from visiting compromised websites. Vigilance and proactive security measures can reduce your vulnerability to these sophisticated attacks to a great extent.

Mr. Mayuresh Dani, Manager, Security Research at Qualys Threat Research Unit, commented on the latest development stating “WordPress plugins like PhishWP pose significant risks by mimicking payment interfaces to steal user information, including credit card details and 3DS codes. Data is sent to attackers via Telegram, making PhishWP a highly effective information stealer when victims input valid details.“

1. US Marshals Service Data Sold on Russian Hacker Forum
2. New Rockstar 2FA Phishing Kit Targets Microsoft 365 Accounts
3. Military Satellite Access Sold on Russian Hacker Forum for $15K
4. Android Botnet Nexus Being Rented Out on Russian Hacker Forum
5. Network access to Pakistan’s top fed agency sold on Russian forum