Full Report
The PhishWP plugin enables scammers to create fake payment pages, stealing sensitive data via Telegram
Analysis Summary
# Tool/Technique: PhishWP Plugin
## Overview
PhishWP is a malicious WordPress plugin used by cybercriminals to deploy highly sophisticated phishing campaigns aimed at stealing financial and personal data. It creates convincing fake payment pages mimicking legitimate services like Stripe.
## Technical Details
- Type: Tool/Malicious Plugin
- Platform: WordPress (exploits systems running PHP/WordPress)
- Capabilities: Creation of customized, deceptive payment processing interfaces; data exfiltration via Telegram; theft of full credit card details, billing addresses, OTPs, and browser metadata.
- First Seen: Information not explicitly provided, but observed circulating on a Russian cybercrime forum prior to January 6, 2025.
## MITRE ATT&CK Mapping
Since PhishWP is fundamentally a means of gaining and using illicit information via a web interface, the following tactics and techniques are applicable:
- **TA0001 - Initial Access**
- T1190 - Exploit Public-Facing Application (If used to exploit vulnerabilities in a WordPress site for deployment)
- **TA0010 - Exfiltration**
- T1041 - Exfiltration Over C2 Channel (Data sent over Telegram)
- **TA0011 - Collection**
- T1006 - Input Capture: Credential Harvesting (Collecting card numbers, OTPs, addresses)
## Functionality
### Core Capabilities
- **Payment Page Mimicry:** Generates customizable checkout pages designed to closely replicate interfaces of trusted payment processors (e.g., Stripe).
- **Sensitive Data Capture:** Collects credit card numbers, billing addresses, and user-entered One-Time Passwords (OTPs).
- **3DS Bypass:** Includes functionality for a 3DS code popup to siphon off data required for 3D Secure authentication.
- **Information Exfiltration:** Steals user IP addresses and browser information alongside financial data.
### Advanced Features
- **Telegram Exfiltration:** Transmits all collected data directly and often in real-time to the attacker's designated Telegram account.
- **Deceptive Confirmation:** Sends a seemingly legitimate order confirmation email to the victim to delay detection of the theft.
- **Internationalization:** Supports multiple languages, enabling global phishing campaigns.
- **Obfuscation:** Includes options to conceal its malicious intent.
## Indicators of Compromise
- File Hashes: [Not provided in the source text]
- File Names: PhishWP (The name of the plugin)
- Registry Keys: [Not applicable/Stated]
- Network Indicators: Communication channel using Telegram APIs for data transmission (Defanged: telegram[.]org or relevant API endpoint).
- Behavioral Indicators: Sudden outbound network activity from compromised WordPress servers to Telegram endpoints; creation of file paths associated with storing stolen data locally before exfiltration (if applicable).
## Associated Threat Actors
- Cybercriminals operating on Russian cybercrime forums.
## Detection Methods
- Signature-based detection: Signatures targeting the specific code patterns or file names associated with the PhishWP plugin installation.
- Behavioral detection: Monitoring outbound network connections from web servers to non-standard service endpoints (like Telegram APIs) that often handle C2 traffic for web-based malware. Endpoint detection should look for suspicious file operations related to form handling/data logging.
- YARA rules: [Not provided in the source text]
## Mitigation Strategies
- Prevention measures: Employ advanced browser-based phishing protection tools capable of real-time URL threat detection.
- Hardening recommendations: Regularly update WordPress core, themes, and plugins; restrict file upload permissions on public-facing web servers; utilize Web Application Firewalls (WAFs) to monitor request anomalies.
## Related Tools/Techniques
- Telegram Bot Abuse for Phishing (Cited in related articles).
- General Information Stealers disguised as legitimate software components.