- 875
- 242
Researchers have identified a new, sophisticated phishing campaign targeting WordPress website owners. The attackers send emails claiming domain registrations are about to expire, ultimately tricking victims into giving up not only bank card information but also one-time codes. Cyberthreat researcher Anurag described
the attack . The email appears alarming and arrives with a subject line like "Renewal due soon – Action required." The intent is simple: to scare users and force them to act quickly. But there's an important detail, which the researcher immediately points out: the email doesn't specify the specific domain that's supposedly expiring. This is highly unusual for genuine renewal notifications and should raise red flags in itself. If the victim clicks the "Renew Now" button, they're redirected to a fake payment page hosted on the soyfix[.]com domain. Visually, it's almost indistinguishable from a genuine WordPress checkout: payment system icons, a "Secure order validation" label, and plausible amounts like $13.00 plus VAT. Everything looks so neat that any doubts quickly disappear. But the "order," of course, is fictitious. The page simply collects the cardholder's name, number, expiration date, and CVV, immediately sending them to the attackers. The attack doesn't end there. The next step is a fake 3D Secure Verification window, where the user is asked to enter a code from an SMS. To make everything look as authentic as possible, the script mimics "banking": a seven-second load time, followed by a few more seconds of "verification." After that, the system reports an error. Moreover, the error always appears—deliberately, to trick the victim into entering new OTP codes over and over again. This way, the attackers obtain several valid confirmation codes at once. The campaign's infrastructure deserves special attention. Instead of traditional command and control servers, the attackers use Telegram. Website-side scripts ( send_payment.php and send_sms.php) forward stolen data directly to a Telegram bot or channel. This approach is cheaper, simpler, and much harder to block than traditional C2 servers. The emails were sent from admin@theyounginevitables[.]com, which masqueraded as WordPress support. Header analysis revealed a weak DMARC policy (p=NONE), allowing the sender spoofing to proceed without any restrictions. WordPress users are advised to remain calm and check such notifications manually—through the official WordPress.com dashboard, not via links in emails. And a simple rule of thumb: if a renewal notification doesn't specify which domain needs to be renewed, it's almost certainly a trap. @ Anti-Malware
the attack . The email appears alarming and arrives with a subject line like "Renewal due soon – Action required." The intent is simple: to scare users and force them to act quickly. But there's an important detail, which the researcher immediately points out: the email doesn't specify the specific domain that's supposedly expiring. This is highly unusual for genuine renewal notifications and should raise red flags in itself. If the victim clicks the "Renew Now" button, they're redirected to a fake payment page hosted on the soyfix[.]com domain. Visually, it's almost indistinguishable from a genuine WordPress checkout: payment system icons, a "Secure order validation" label, and plausible amounts like $13.00 plus VAT. Everything looks so neat that any doubts quickly disappear. But the "order," of course, is fictitious. The page simply collects the cardholder's name, number, expiration date, and CVV, immediately sending them to the attackers. The attack doesn't end there. The next step is a fake 3D Secure Verification window, where the user is asked to enter a code from an SMS. To make everything look as authentic as possible, the script mimics "banking": a seven-second load time, followed by a few more seconds of "verification." After that, the system reports an error. Moreover, the error always appears—deliberately, to trick the victim into entering new OTP codes over and over again. This way, the attackers obtain several valid confirmation codes at once. The campaign's infrastructure deserves special attention. Instead of traditional command and control servers, the attackers use Telegram. Website-side scripts ( send_payment.php and send_sms.php) forward stolen data directly to a Telegram bot or channel. This approach is cheaper, simpler, and much harder to block than traditional C2 servers. The emails were sent from admin@theyounginevitables[.]com, which masqueraded as WordPress support. Header analysis revealed a weak DMARC policy (p=NONE), allowing the sender spoofing to proceed without any restrictions. WordPress users are advised to remain calm and check such notifications manually—through the official WordPress.com dashboard, not via links in emails. And a simple rule of thumb: if a renewal notification doesn't specify which domain needs to be renewed, it's almost certainly a trap. @ Anti-Malware