A sophisticated phishing campaign is actively targeting WordPress administrators with convincing fake domain renewal notices, aiming to steal sensitive credit card information and two-factor authentication codes. These deceptive emails, designed to mimic legitimate WordPress.com renewal reminders, are redirecting unsuspecting users to fraudulent payment portals, where their financial data is then illicitly collected and transmitted to attackers via Telegram messaging channels. Security experts are urging administrators to exercise extreme caution and verify all renewal notifications through official channels.
The fraudulent campaign begins with an email subject line, “Renewal due soon – Action required,” employing urgency to prompt immediate action from recipients. The message warns of potential service disruptions without specifying the exact domain name, a tactic that allows the attackers to cast a wider net. The emails are crafted to appear professional and bypass spam filters, making them credible to individuals who may not closely inspect sender details. Anurag Gawande, an independent security analyst, identified the campaign by analyzing its phishing infrastructure, revealing a multi-stage attack designed to maximize data extraction from compromised accounts.
Fake WordPress Domain Renewal Emails Target Admins for Data Theft
Victims who click on the link within the phishing email are directed to a mock WordPress checkout page hosted on attacker-controlled infrastructure at soyfix[.]com/log/log/. This fraudulent page meticulously replicates the legitimate WordPress payment interface, including accurate pricing, VAT calculations, and branded payment method logos, further enhancing its deceptive appearance.
The phishing portal utilizes a JavaScript form to capture critical cardholder details such as name, card number, expiry date, and CVV. Once submitted, this sensitive data is sent via a POST request to a backend script named `send_payment.php`, which immediately forwards the stolen credentials to Telegram bots controlled by the attackers. This bypassing of traditional command-and-control infrastructure leverages Telegram’s inherent security features and makes disruption more challenging.
Sophisticated Two-Factor Authentication and OTP Theft
Adding another layer to the deception, the campaign targets two-factor authentication (2FA) after the initial credit card submission. Victims are presented with a fake 3D Secure verification modal that displays merchant details and transaction references. Users are then prompted to enter SMS One-Time Passwords (OTPs). Crucially, the verification process is designed to deliberately fail, displaying a “Verification failed” message irrespective of the accuracy of the entered OTP. This encourages victims to re-enter the code multiple times, allowing attackers to harvest a series of valid OTPs sent to the victim’s mobile device. These collected OTPs are then relayed to Telegram channels through a separate `send_sms.php` endpoint.
To further bolster the illusion of legitimacy, the attackers incorporate artificial delays into the process. A seven-second pause after payment submission and four-second delays during the verification process are implemented to mimic the behavior of genuine banking infrastructure, reducing user suspicion. The campaign’s origin traces back to theyounginevitables[.]com, relayed through Alibaba Cloud SMTP infrastructure, with a weak DMARC policy offering inadequate protection against email spoofing.
This ongoing phishing operation highlights the evolving tactics of cybercriminals targeting WordPress website administrators. The use of convincing social engineering tactics, coupled with the exploitation of legitimate-looking interfaces and secure messaging platforms, poses a significant threat to the financial security of individuals and organizations managing WordPress websites. Continuous vigilance and adherence to best security practices are paramount in mitigating such attacks.
Organizations are strongly advised to educate their administrators on the risks associated with unsolicited renewal notices. It is imperative that all domain renewal and service update notifications are verified directly through the official WordPress dashboard rather than clicking on links provided in emails. Staying informed about emerging phishing techniques and maintaining updated security protocols will be essential in safeguarding against future, similar threats.