WordPress Phishing Scams: What Every User Needs to Know
WordPress powers 30% of the web and is by far the largest content management system (CMS). It's easy-to-use and has fans that range from regular users to developers. However, popularity breeds exposure.
When users adopt a platform, that means there is an opportunity—opportunities for hackers. Because so many businesses and individuals use it, it's very attractive to hackers. A study looked at over 11,000 infected websites and found 75% were WordPress sites, which is an indication of its vulnerabilities but also their market share. Most of these infections probably started with phishing.
Phishing simulations & training
Why So Vulnerable, WordPress?
So, how does a CMS that's so prevalent has so many vulnerabilities? It's not the platform itself that creates much of these weak spots. Much of the activity in breaching these sites is via plug-ins. Plug-ins are convenient and connect systems and allow them to communicate. But not every plug-in has the same security protocols. It only takes one weak link for hackers to find a way into the application.
It's not like WordPress didn't foresee that risk would only increase. Their founder talked about it way back in 2007. Moreover, as the web has grown, no housing billions of websites, the spam that a WordPress site must thwart grows. WordPress sites over 82,000 more spam incidents an hour than they did a decade before.
WordPress Phishing Scams: Two Ways Hackers Get Users
There are two ways in which phishing can impact WordPress users. First, your site can be set can be compromised in two ways: hackers are using your WordPress site to lure in others, or administrators receive phishing emails.
Phishing's objective is to obtain sensitive information. It starts with some type of communication with links. It looks legitimate, but that one click is all it takes for the "hook" to work. Where that link goes is to an infected page, one that could be on your website, and you don't even know it.
Phishing Pages
Most attackers use a WordPress site as a magnet to distribute malware via phishing. The hacker uses the WordPress site as a cover. This is the most used tactic, but threat actors can also use phishing tactics against website administrators to get access to the site to steal PPI (protected personal information).
The majority of WordPress administrators have no idea that phishing pages are on the site. The files are not included with the legitimate pages, and the website doesn't appear to be different. They are hidden from the visible eye. So, you may only learn the pages are there when you get a notification from someone who received the phishing email.
Finding and Removing Phishing Pages
So, how can you find these pages and remove them? It's all about the code.
You'll need to inspect the code to understand if your WordPress site has been hacked. These pages will be standalone and buried within the CMS. One way to find them is by their name. Since a phishing scam is an effort to mimic your site so that it looks legitimate, file names give it away. The files will contain items associated with your brand but not be pages you created.
Hunting all through the site isn't an effective way to find these pages. Download all the site files locally to analyze them. The files you are looking for will most likely be grouped together. They often have a directory name that has the organization name. Once you find the corrupt files delete them, but there aren't only pages. Malicious code can be embedded into shopping cart pages, redirecting customers to the fake checkout instead of the real one. You should also find a file called password.txt, which is there to collect the information of the hacked.
Phishing Emails
On the other side of this experience is that administrators of WordPress sites receive a phishing email that looks exactly like a notification they may receive many times a day. Novice or professional users can fall victim to this.
WordPress Phishing Scams Can Fool Even WordPress Pros
For those that manage multiple WordPress sites, their email is bombarded with emails from those sites. So, if one slips in that looks official, it'd be easy to click on it. One interesting thing that scammers will do is forward an email, so it looks like an actual person sent the email, and that it needs the reader's attention.
That's when recipients need to look closer. Asking questions like:
It's best to ask questions and do a quick search to see if this is really legitimate. Even the best WordPress user can be fooled when the email is so familiar and looks like what they might receive on a regular basis.
Password Reset Emails Are Red Flags
If you look on the WordPress support boards, you'll find lots of questions around how someone was able to obtain usernames and passwords for their sites. One thing that keeps getting repeated is that account holders were receiving password reset emails. These, of course, look like they are coming from your domain. Except you didn't try to reset your password. The reset email link looks like it's your domain but clicking on it either messes up your login or compromises it in some way. So, don't click on anything you didn't ask to reset.
Emails Received by Customers Look Real
When a malicious hacker has infiltrated a WordPress site, they begin spinning of emails. Sometimes it's a small trickle; while other times, it may go out to an entire customer base. The emails will look like they are coming from your domain. However, the message is what's suspicious and what clients should be warned of educationally. First, tell them that emails that request PPI or other sensitive information would never come from the company. Further, urge customers to forward to you these types of emails, so you're team can proceed to investigate.
This type of phishing campaign often spikes when WordPress vulnerabilities are exposed. Your domain needs to be protected; thus if hackers know the vulnerabilities, you should as well. Then take the actions to close the loop on security.
Even though your website has been compromised, as hackers can send emails from your domain, the links won't always go to phishing pages on your site. They may link to another WordPress sites that have been hacked.
Advanced Phishing Techniques
Hackers aren't just going to do the same thing they've always done. As security measures increase so does the creativity of a hacker. Here are some additional examples of how they can obfuscate URLs:
See Infosec IQ in action
WordPress Phishing Prevention
Prevention and awareness both need to be internal and external. Some of the largest organizations in the world are the target of WordPress phishing scams. While they have a team of vigilant technology experts, hackers are sometimes successful. Thus, you need security awareness training to prevent users from clicking on phishing emails internally or externally. Make training for staff mandatory. Write educational pieces on it for your audience. With a better understanding of exactly how phishing works, this should lead to fewer damaging clicks.
In this Series
- WordPress Phishing Scams: What Every User Needs to Know
- Keeping your inbox safe: How to prevent business email compromise
- The best 9 phishing simulators for employee security awareness training (2023)
- How to set up a phishing attack with the Social-Engineer Toolkit
- Extortion: How attackers double down on threats
- How Zoom is being exploited for phishing attacks
- 11 phishing email subject lines your employees need to recognize [Updated 2022]
- Consent phishing: How attackers abuse OAuth 2.0 permissions to dupe users
- The state of BEC in 2021 (and beyond)
- Why employees keep falling for phishing (and the science to help them)
- Phishing attacks doubled last year, according to Anti-Phishing Working Group
- The Phish Scale: How NIST is quantifying employee phishing risk
- 6 most sophisticated phishing attacks of 2020
- JavaScript obfuscator: Overview and technical overview
- Malicious Excel attachments bypass security controls using .NET library
- Phishing with Google Forms, Firebase and Docs: Detection and prevention
- Phishing domain lawsuits and the Computer Fraud and Abuse Act
- Phishing: Reputational damages
- Spearphishing meets vishing: New multi-step attack targets corporate VPNs
- Phishing attack timeline: 21 hours from target to detection
- Overview of phishing techniques: Brand impersonation
- BEC attacks: A business risk your insurance company is unlikely to cover
- Cybercrime at scale: Dissecting a dark web phishing kit
- Lockphish phishing attack: Capturing android PINs & iPhone passcodes over https
- 4 types of phishing domains you should blacklist right now
- Email attack trend predictions for 2020
- 4 tips for phishing field employees [Updated 2020]
- How to scan email headers for phishing and malicious content
- Should you phish-test your remote workforce?
- Overview of phishing techniques: Fake invoice/bills
- Phishing simulations in 5 easy steps — Free phishing training kit
- Overview of phishing techniques: Urgent/limited supplies
- Overview of phishing techniques: Compromised account
- Phishing techniques: Contest winner scam
- Phishing techniques: Expired password/account
- Overview of Phishing Techniques: Fake Websites
- Overview of phishing techniques: Order/delivery notifications
- Phishing technique: Message from a friend/relative
- [Updated] Top 9 coronavirus phishing scams making the rounds
- Phishing technique: Message from the boss
- Cyber Work podcast: Email attack trend predictions for 2020
- Phishing techniques: Clone phishing
- Phishing attachment hides malicious macros from security tools
- Phishing techniques: Asking for sensitive information via email
- PayPal credential phishing with an even bigger hook
- Your 2020 tax scam training guide
- Abusing email rules
- 8 phishing simulation tips to promote more secure behavior
- Top types of Business Email Compromise [BEC]
- Be aware of these 20 new phishing techniques
- Phishing in academic environments
We’ll customize our demo to your
- Security awareness goals
- Existing security and employee training tools
- Industry and compliance requirements
