WordPress Admins Targeted by Renewal Email Phishing Scam

A new phishing campaign is actively targeting WordPress administrators with convincing domain renewal emails that lead to real-time theft of credit card data and two-factor authentication codes. 

The attack relies on urgency, polished branding, and a multi-stage payment workflow to trick victims into handing over sensitive financial information.

The campaign “… leads victims to a fake WordPress payment portal hosted on attacker infrastructure and performs theft of credit card details and 3-D Secure OTPs, which are exfiltrated to the attacker via Telegram,“ said researchers.

Inside the Domain Renewal Phishing Scheme

The attack begins with a carefully crafted phishing email bearing the subject line “Renewal due soon – Action required.” 

The message uses urgency-based language to pressure recipients into immediate action, warning of potential service disruption while deliberately omitting the actual domain name. 

This generic wording allows attackers to reuse the same email across many organizations while maintaining plausible legitimacy and increasing the likelihood that recipients will respond.

When a victim clicks the embedded link, they are redirected to a fraudulent WordPress payment page hosted on attacker-controlled infrastructure at soyfix[.]com/log/log/. 

The page closely replicates the legitimate WordPress checkout experience, featuring accurate pricing breakdowns, VAT calculations, and recognizable payment method logos. 

Victims are prompted to enter their credit card details, which are captured through a JavaScript-based form and sent to a backend script named send_payment.php. 

Upon submission, the stolen card data is immediately exfiltrated to attacker-controlled Telegram bots, enabling real-time harvesting of financial information.

The campaign then escalates into a second stage designed to steal two-factor authentication (2FA) credentials. After submitting payment information, victims are presented with a fake 3D Secure verification modal that mimics standard banking authentication flows. 

The interface displays realistic merchant names, transaction references, and payment amounts, reinforcing the illusion of legitimacy. 

Users are prompted to enter SMS one-time passwords sent by their bank, but the system always returns a “Verification failed” message, regardless of whether the OTP is valid.

This forced retry behavior allows attackers to collect multiple valid OTPs from a single victim. 

Each code entered is transmitted through a separate backend endpoint, send_sms.php, and relayed to Telegram channels for immediate use. 

To further reduce suspicion, the attackers introduce deliberate processing delays, including a several-second pause after payment submission and shorter delays during verification. 

These artificial wait times closely resemble real payment and banking systems, increasing user trust and compliance throughout the attack flow.

Defending Against Domain Renewal Phishing

Attacks targeting domain renewals and payment processes are designed to exploit urgency, trust in familiar brands, and gaps in authentication and monitoring. 

The following measures outline practical steps security teams can take to reduce exposure, detect abuse earlier, and limit the impact of successful phishing attempts.

• Require administrators to verify all billing and renewal activity by navigating directly to official WordPress or registrar dashboards rather than clicking links in emails.
• Enforce phishing-resistant multi-factor authentication for administrative and billing accounts and monitor for repeated OTP failures or anomalous authentication behavior.
• Strengthen email and web security controls by enforcing DMARC, DKIM, and SPF, blocking newly registered or low-reputation domains, and scanning links for malicious content.
• Centralize and restrict domain and payment management by limiting privileged access, using dedicated payment methods, and enabling registrar-level security features such as account alerts.
• Monitor network, DNS, and endpoint logs for connections to suspicious domains, payment portals, or abnormal administrative activity and integrate alerts into a SIEM.
• Conduct targeted security awareness training and phishing simulations for staff with administrative or financial access, and regularly test incident response plans.

These steps help reduce phishing risk and limit the impact of compromised administrative accounts.

Phishing Is Exploiting Trusted Workflows

This campaign reflects a broader shift toward highly realistic, financially motivated phishing attacks that closely mimic legitimate payment and authentication workflows. 

Rather than relying on simple credential prompts, attackers are increasingly abusing trusted billing processes and security mechanisms to bypass user skepticism and extract sensitive data with greater efficiency and scale. 

As attackers continue to exploit trusted workflows to bypass traditional defenses, many organizations are turning to zero-trust solutions to enforce continuous verification and reduce reliance on implicit trust.