A newly identified WordPress plugin called PhishWP has been used by cybercriminals to create fake payment pages mimicking legitimate services like Stripe, enabling the theft of sensitive financial and personal data.
The malicious plugin was observed by SlashNext researchers circulating on a Russian cybercrime forum. It allows attackers to generate convincing payment interfaces that capture credit card details, billing addresses and even one-time passwords (OTPs) from victims. Once the information is entered, PhishWP transmits the stolen data directly to the attackers via Telegram, often in real-time.
Cybercriminals deploy PhishWP either by compromising existing WordPress sites or creating fraudulent ones. The plugin’s design closely replicates trusted payment gateways, making it difficult for users to detect the deception.
A Powerful Tool for Cybercriminals
PhishWP offers a range of features that make it a powerful tool for cybercriminals.
It can create highly customizable checkout pages that mimic legitimate payment processors, collect one-time passwords (OTPs) to bypass security measures and send stolen data directly to attackers through Telegram.
“In cases where users have enabled 3DS code requests, the plugin also includes a 3DS code popup to make sure that this information is also siphoned off to the threat actor. Data such as the user’s IP address, browser information, etc. is also sent across along with their credit card information,” explained Mayuresh Dani, manager of security research at Qualys.
“To make sure that the attackers have time to use the stolen information, the plugin also includes functionality that sends a confirmation email to victims with their order details. [...] This functionality makes PhishWP a highly successful information stealer.”
Additionally, the malware profiles browser information, sends deceptive confirmation emails, supports multiple languages for global campaigns and even includes obfuscation options to conceal its true purpose.
How PhishWP Operates
An example attack using PhishWP involves an attacker setting up a fake e-commerce site with heavily discounted products.
Victims enter their card details and OTPs on the counterfeit payment page, unaware that the data is instantly sent to the attacker’s Telegram account. The stolen information is then used for unauthorized transactions or sold on dark web marketplaces.
To protect against threats like PhishWP, experts recommend using advanced browser-based phishing protection tools. These solutions provide real-time threat detection, blocking malicious URLs across all major browsers and identifying phishing attempts before sensitive data can be compromised.