One morning, you decide to make a purchase from a seemingly reputable online store. The website displays a familiar checkout interface resembling Stripe’s payment process.

You enter your payment details, feeling confident in the website’s legitimacy:

• Credit card number 
• Expiration date 
• CVV 
• Billing address

You even enter a one-time password (OTP) sent to your phone, believing it ensures your transaction’s security. Little do you know, you’ve fallen victim to a new WordPress plugin found on a Russian cybercrime forum: PhishWP.

PhishWP is a WordPress plugin built by cybercriminals. It creates fake payment pages that look just like trusted services, such as Stripe. Threat actors use it to steal sensitive information such as credit card numbers, personal data, and browser metadata.

PhishWP even connects with Telegram, sending stolen data to attackers as soon as a victim hits “enter.” This makes phishing attacks faster and more efficient. 

Attackers can either compromise legitimate WordPress websites or set up fraudulent ones to install it. After configuring the plugin to mimic a payment gateway, unsuspecting users are lured into entering their payment details.

The plugin collects this information and sends it directly to attackers, often in real time. PhishWP also uses advanced tricks, like stealing the special OTP sent during a 3D Secure (3DS) check during the checkout process. 3DS is a safety measure that sends a short code to your phone or email to prove that you’re the actual cardholder. By grabbing this code, attackers can pass themselves off as you, making their fake transactions look completely real.

Learn how to  stay safe from threats like PhishWP with a tool like SlashNext’s Browser Phishing Protection.

Official advertisement for PhishWP

Key Features of PhishWP

How does PhishWP collect your card details, the special code your bank sends you, and send you a friendly confirmation email—all before you realize you sent your private information straight to a hacker? Let’s look at the specific features PhishWP uses that make it effective in phishing campaigns:

1. Customizable checkout pages: Simulates payment processors like Stripe, creating highly convincing fake interfaces.
2. 3DS code harvesting: Tricks victims into entering one-time passwords (OTPs) via pop-ups, bypassing authentication layers.
3. Telegram integration: Instantly transmits stolen data to attackers for real-time exploitation.
4. Browser profiling: Captures details such as IP addresses, screen resolutions, and user agents to replicate user environments for future fraud.
5. Auto-response emails: Sends fake order confirmations to victims, delaying suspicion and detection.
6. Multi-language support: Enables global phishing campaigns by accommodating multiple languages.
7. Obfuscation options: Provides an obfuscated version of the plugin for stealth or source code for advanced customizations.

PhishWP’s features make fake checkout pages look real, steal security codes, send your details to attackers right away, and trick you into thinking everything went fine. This is why staying alert and using strong security tools is more important than ever.

Protect your credit card details from PhishWP with SlashNext’s Browser Phishing Protection.

Example of a Phishing Attack Using PhishWP

Let’s walk through an example. Imagine an attacker sets up a fake e-commerce website advertising high-demand products at discounted prices. Using PhishWP, they replicate Stripe payment pages to deceive users. 

The attack unfolds as follows: first, users are directed to a convincing fake checkout page where they enter their payment and personal details. Next, a 3DS code pop-up requests an OTP, which users unwittingly provide, believing the site is legitimate. 

Meanwhile, the plugin transmits all collected information, including card details and OTPs, to the attacker’s Telegram account in real time. Finally, the attacker exploits the data for unauthorized purchases or sells it on dark web marketplaces.

Example of what the attacker views after a successful attack

Here’s the step-by-step breakdown of how attackers put PhishWP to work:

1. Set up on a WordPress site: Attackers either break into a trusted WordPress site or create their own fake one.
2. Copy a real payment service: They use PhishWP to make checkout pages look just like a real payment processor (like Stripe), adjusting the design and language so nothing seems off about the branding, fields, or language.
3. Lure victims in: Victims arrive at the site through carefully planned phishing emails, social media ads, or sneaky search results. Everything looks normal, so they enter their payment and personal details without a second thought.
4. Steal the data: PhishWP scoops up all the sensitive information—credit card numbers, addresses, even special security codes—and instantly sends it to the attacker, often via Telegram.
5. Cover the tracks: The victim then receives a fake confirmation email, making them believe their purchase went through. Meanwhile, the attacker uses or sells the stolen info in secret online markets.

Get Protection With SlashNext

How do you stay safe from threats like PhishWP? Use a tool like SlashNext’s Browser Phishing Protection. It works inside your browser, spotting zero-hour phishing sites before they get you. It’s cloud-powered, fast, and works on all major browsers. With SlashNext, you get real-time defense that stops attacks cold.

It operates within the browser memory, blocking malicious URLs, and supports all major browsers like Chrome, Safari, Edge, and Firefox. 

By providing fast threat detection and blocking capabilities, our solution protects users from a wide range of phishing attacks, including those that traditional security measures might miss.