Fake WordPress Renewal Email Steals Admin Credit Card Data

A deceptive phishing campaign is actively targeting WordPress administrators with convincing Fake WordPress Renewal notices designed to steal credit card information and two-factor authentication codes.

The emails, masquerading as legitimate WordPress Renewal Email bearing the subject line “Renewal due soon – Action required.”

The message uses urgency-based tactics to pressure recipients into immediate action, warning of potential service disruption without specifying the actual domain name. This generic approach allows the campaign to cast a wide net across multiple organizations.

The email maintains a polished, professional appearance designed to bypass spam filters and appear credible to recipients who may not scrutinize the sender details closely enough.

An independent security analyst, Anurag Gawande, identified the malware campaign after analyzing the phishing infrastructure. Upon investigation, Gawande discovered a sophisticated multi-stage attack designed to extract maximum value from each compromised account.

Victims clicking the email link are directed to a fake WordPress checkout page hosted on attacker infrastructure at soyfix[.]com/log/log/.

Infection mechanisms

The page displays a convincing replica of the legitimate WordPress payment interface, complete with accurate pricing breakdowns, VAT calculations, and branded payment method logos.

The phishing portal collects cardholder information through a JavaScript form that captures the cardholder name, card number, expiry date, and CVV.

Upon submission, this sensitive data is sent via POST request to a backend script named send_payment.php, which immediately forwards the stolen credentials to attacker-controlled Telegram bots.

The deception deepens through a second stage targeting two-factor authentication. After card submission, victims encounter a fake 3D Secure verification modal displaying merchant details, transaction references, and amounts.

Users are prompted to enter SMS OTPs. However, the verification process deliberately returns a “Verification failed” message regardless of whether the OTP is correct.

This forces victims to retry multiple times, allowing attackers to harvest numerous valid OTP codes sent to the victim’s mobile device. These codes are immediately relayed to Telegram channels through a separate send_sms.php endpoint.

The campaign employs psychological trust mechanisms including artificial loading delays—a seven-second pause after payment submission and four-second verification processing delays—to convince victims they are engaging with legitimate banking infrastructure.

These deliberate delays reduce user suspicion and increase the likelihood of compliance.

The attackers cleverly avoid traditional command-and-control infrastructure by leveraging Telegram as their primary exfiltration channel. This approach offers several advantages: minimal infrastructure costs, built-in encryption, difficulty in disruption, and reduced detectability compared to conventional hosted panels.

Email header analysis reveals the campaign originates from theyounginevitables[.]com relayed through Alibaba Cloud SMTP infrastructure, with a weak DMARC policy offering no protection against spoofing.

Organizations should educate administrators to never click domain renewal links in emails and instead verify all renewal notices directly through official WordPress dashboards.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.