{"id":1430,"date":"2025-01-07T11:37:37","date_gmt":"2025-01-07T11:37:37","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=1430"},"modified":"2025-01-07T11:37:37","modified_gmt":"2025-01-07T11:37:37","slug":"russian-hackers-turn-trusted-online-stores-into-phishing-pages","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=1430","title":{"rendered":"Russian hackers turn trusted online stores into phishing pages"},"content":{"rendered":"<div>\n<div class=\"grid grid--cols-10@md grid--cols-8@lg article-column\">\n<div class=\"col-12 col-10@md col-6@lg col-start-3@lg\">\n<div class=\"article-column__content\">\n<div class=\"container\"><\/div>\n<p>In a smart campaign, Russian cybercriminals are turning trusted online stores into <a href=\"https:\/\/www.csoonline.com\/article\/514515\/what-is-phishing-examples-types-and-techniques.html\">phishing<\/a> pages that capture sensitive details through convincing payment interfaces.<\/p>\n<p>According to a research by the cybersecurity firm Slashnext, the Russian miscreants have built a WordPress plugin, PhishWP, which creates fake payment pages that look like trusted services, such as Stripe.<\/p>\n<p>\u201cWordPress is one of the most popular web application publishing platforms that is easy to customize via plugins,\u201d said Mayuresh Dani, manager of security research at Qualys Threat Research Unit. \u201cConsumers and administrators alike are familiar with the WordPress interface, which makes plugins such as PhishWP a higher risk.\u201d<\/p>\n<p>According to SlashNext, information at risk includes credit card number, expiration date, CVV, billing address, and browser metadata.<\/p>\n<h2 class=\"wp-block-heading\">Telegram for faster exfiltration<\/h2>\n<p>PhishWP integrates with <a href=\"https:\/\/www.csoonline.com\/article\/565412\/what-is-telegram-and-is-it-secure.html\">Telegram<\/a>, instantly transmitting stolen data to attackers once a victim presses \u201center,\u201d SlashNext noted in a <a href=\"https:\/\/slashnext.com\/blog\/phishwp-turns-sites-into-phishing-traps\/\" target=\"_blank\" rel=\"noopener\">blog post<\/a>, accelerating and enhancing the efficiency of phishing attacks.<\/p>\n<p>\u201cAs soon as a user enters their payment details, the plugin transmits that information directly to the attacker, via instant messaging platforms like Telegram,\u201d said Jason Soroko, senior fellow at Sectigo. \u201cThis immediate forwarding of information equips cybercriminals with the necessary credentials to make fraudulent purchases or resell the stolen data\u2014sometimes within minutes of capturing it.\u201d<\/p>\n<p>Attackers can either hack legitimate WordPress websites or create fake ones to install the plugin. Once set up to look like a payment gateway, it tricks users into entering their payment information.<\/p>\n<p>The plugin was reportedly found to be distributed on a Russian cybercrime forum.<\/p>\n<h2 class=\"wp-block-heading\">Advanced OTP theft<\/h2>\n<p>The research also revealed an added potential for the plugin to be used for more advanced theft leading to fake transactions.<\/p>\n<p>According to SlashNext findings, PhishWP employs advanced tactics, such as stealing the OTP sent during a 3D Secure (3DS) check. By capturing this code, attackers can impersonate users, making their fraudulent transactions appear legitimate.<\/p>\n<p>\u201cWith the OTP in hand, cybercriminals <a href=\"https:\/\/www.csoonline.com\/article\/571355\/cybercriminals-bypass-2fa-and-otp-with-robocalling-and-telegram-bots.html\">bypass one of the most critical safeguards<\/a> in digital transactions, making their fraudulent activities look alarmingly legitimate to both banks and unwitting shoppers,\u201d Soroko said. \u00a0\u201cMany people have been trained to believe that one-time passcodes (OTP) help a system to be more secure, but in this case, they are merely handing over the keys to their adversary.\u201d<\/p>\n<p>Other key features offered with the plugin include customizable checkout pages, auto-response emails, multi-language support, and obfuscation options.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"<p>In a smart campaign, Russian cybercriminals are turning trusted online stores into phishing pages that capture sensitive details through convincing payment interfaces. According to a research by the cybersecurity firm Slashnext, the Russian miscreants have built a WordPress plugin, PhishWP, which creates fake payment pages that look like trusted services, such as Stripe. \u201cWordPress is [&hellip;]<\/p>\n","protected":false},"author":0,"featured_media":1425,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-1430","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/1430"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1430"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/1430\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/1425"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1430"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1430"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1430"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}