WordPress Admins Targeted by Renewal Email Phishing Scam

The wave of credential‑free phishing attacks has shifted toward hijacking familiar payment processes, and the latest WordPress renewal scam exemplifies this trend. By crafting emails that appear to come from WordPress’s own renewal system, attackers bypass the initial suspicion barrier. The embedded link leads to a replica checkout page that mirrors legitimate pricing, VAT calculations, and payment logos, prompting administrators to enter full card details. This approach not only captures primary payment data but also sets the stage for a secondary theft vector—fake 3‑D Secure verification that siphons OTP codes in real time.

Technically, the fraudulent portal runs on attacker‑owned infrastructure, using JavaScript to harvest card numbers and forward them to a backend script, which then pushes the information to Telegram bots for instant collection. After payment submission, victims encounter a mock 3‑D Secure modal that mimics bank authentication screens, encouraging them to input SMS OTPs. The system deliberately returns a generic "Verification failed" message, prompting repeated attempts and yielding multiple valid OTPs per victim. This multi‑stage exfiltration bypasses traditional credential‑based defenses and leverages legitimate‑looking network latency to reinforce trust, making detection by standard email filters or web proxies more difficult.

Mitigating this threat requires a layered strategy. Administrators should verify billing actions directly through official dashboards rather than email links, and enforce phishing‑resistant MFA for all privileged accounts. Deploying DMARC, DKIM, and SPF helps block spoofed messages, while zero‑trust architectures enforce continuous verification of user actions, reducing reliance on implicit trust in familiar workflows. Continuous monitoring of DNS queries, network traffic to newly registered domains, and anomalous payment portal activity—integrated into a SIEM—can surface early indicators of compromise. Combined with targeted security awareness training for finance‑related roles, these controls can significantly lower the risk of successful domain renewal phishing attacks.