A sophisticated malicious WordPress plug-in called PhishWP has emerged on Russian cybercrime forums, targeting e-commerce websites by creating deceptive payment gateways that steal customer data, according to new research from SlashNext.
The plug-in creates convincing fake checkout pages that impersonate trusted payment processors like Stripe. When unsuspecting customers enter their payment details, the information is instantly transmitted to cybercriminals through Telegram instead of processing legitimate transactions.
The stolen data includes credit card numbers, expiration dates, CVV codes, and billing addresses. Attackers can quickly exploit this information for fraudulent purchases or sell it on dark web marketplaces, sometimes within minutes of capture.
What makes PhishWP particularly dangerous is its array of deceptive features. The plug-in includes:
- One-time password (OTP) functionality that makes transactions appear secure
- Customizable checkout interfaces mimicking popular payment systems
- Browser profiling to capture IP addresses and user environment data
- Automated fake order confirmation emails to delay detection
- Real-time data transmission through Telegram
- Multi-language support for global targeting
The malware can be deployed either by compromising legitimate WordPress sites or creating fraudulent e-commerce stores. Its browser-based nature makes detection challenging since the malicious code appears as a legitimate part of the checkout process.
With WordPress powering over 472 million websites globally, the platform presents an attractive target for cybercriminals developing malicious plug-ins. Security experts recommend implementing browser-based phishing protection tools that can identify and block these threats before users interact with compromised checkout pages.
The discovery of PhishWP highlights the growing sophistication of e-commerce fraud tools and the need for enhanced security measures to protect online shoppers' sensitive payment information.