Attackers are using spoofed renewal notices to collect credit card information and one-time codes from WordPress administrators.
Security researchers identified a phishing campaign targeting WordPress administrators with fake domain renewal emails that imitate official WordPress.com notices. The messages warn that a renewal is due and urge recipients to take immediate action, directing them to a fraudulent payment page designed to collect credit card details and authentication codes. Cyber Security News reported that the campaign was uncovered by independent analyst Anurag Gawande after reviewing the phishing infrastructure and payment workflows used by the attackers.
The emails use generic language and omit specific domain names, which allows attackers to send them at scale across multiple organizations. Victims who click the link are taken to a fake checkout page that closely mirrors WordPress branding and pricing layouts, including tax calculations and payment logos. Card details entered into the form are captured through client-side scripts and transmitted to attacker-controlled systems using Telegram bots rather than traditional command infrastructure. After payment submission, victims are shown a fake 3D Secure verification screen that repeatedly rejects entered codes, prompting multiple attempts and enabling the collection of valid one-time passwords sent to the victim’s phone.
Researchers said the campaign relies on timing and visual cues rather than malware delivery. Artificial delays built into the payment and verification steps are intended to make the process feel authentic. Analysts also observed that the phishing emails were sent from domains with weak authentication policies, allowing spoofed messages to pass basic checks. Security specialists advised administrators to avoid interacting with renewal links delivered by email and to verify billing activity only through official dashboards or direct logins to trusted services.
According to analysis by the researcher who uncovered the campaign, renewal-themed phishing remains effective because it relies on behavioral pressure rather than technical compromise. The fake WordPress emails deliberately omit any specific domain name, allowing attackers to reuse the same message at scale while still appearing legitimate to administrators. Generic greetings and urgency-driven language such as “Action required” are used to prompt quick action, while call-to-action links redirect victims away from genuine WordPress infrastructure to external payment pages. The researcher noted that a polished and professional presentation is a part of the deception, helping the emails evade spam filters and appear credible to recipients who expect routine renewal notices.
Related reports show that WordPress administrators are frequent targets, even outside renewal-themed scams. The Hacker News has documented multiple campaigns where attackers exploited outdated WordPress themes and plugins to gain access to sites, then used compromised pages to host phishing forms or payment lures. Researchers noted that attackers favor WordPress because it is widely used for billing, domain management, and administrative workflows, creating opportunities to blend malicious activity into routine site operations. The report warned that gaps in plugin maintenance and delayed patching often leave administrators exposed, making phishing emails more convincing when they reference routine tasks like renewals, invoices, or account updates tied to WordPress.
Administrators often manage billing, hosting, and domain settings, which allows attackers to collect payment data or gain control of websites.
Generic language allows the same message to be reused across many recipients without knowing which domains they manage.
Repeated verification prompts allow attackers to capture valid one-time codes that may be usable in real payment flows.
Messaging platforms reduce infrastructure costs and make it harder to disrupt data collection compared to traditional servers.
Administrators should ignore renewal links in emails and instead sign in directly to the official service through a bookmarked or manually typed address.