Security News

Phishing scam targets WordPress users

Avast Security News Team, 11 September 2018

New phishing campaign tricks users who run WordPress sites by pushing a fraudulent update.

Phishing scams are pouring into inboxes in droves. And as the sheer volume of these scams increases, so do the levels of sophistication. Verizon reports that 30% of phishing scam emails get opened by the targeted users, with 12% of those users clicking on the included malicious link or attachment. According to the SANS Institute, 95% of all cyberattacks on businesses are successful spear-phishing attacks — successful in that the specifically-targeted users took the bait and clicked. The latest trending phishing scam targets the webmasters of WordPress-based sites.

The scam’s goal is to collect usernames, passwords, and website admin info with which the bad actors can seize control of the websites, infect them with malware, blacklist them from searches, and any other manner of harmful activity.

The phishing scam uses an official-looking WordPress email, complete with correct font, style, and footer, which “alerts” the user of a (fraudulent) need to update his or her WordPress site’s database. The email emphasizes the urgency of the matter and provides an UPDATE button for the user to click. Once the user does this, prompts request username, password, site name, and admin info. If the user complies, providing all the requested info, control of the WordPress site falls into the hands of the cybercriminals stationed at the C&C (command and control server).

“WordPress credentials are a gold mine for cybercriminals, they are traded in the black market as they allow attackers to launch all kind of attacks, from hosting phishing sites to deliver malware to visitors of the compromised sites,” says Luis Corrons, Security Evangelist at Avast.

While the discerning eye might catch grammatical errors and the bizarre mention of a “deadline” in the email — two indicators that something is not right — those warning signs may be overshadowed by the urgent direction to update. This is social engineering in action, as cybercriminals are savvy to the constant advice users receive from cybersecurity experts to keep their systems updated. The bad actors here are using the terrible irony of security concerns to scare the user into falling into their trap.

Make sure that when phishing scams hit your inbox, you don’t take the bait. Avast suggests:


  • Stay vigilant — When you’re surprised by an email from one of your accounts, telling you there’s any type of problem, go into detective mode and really look at the email. Are there spelling mistakes? Is it unusually long with a domain not matching the website itself? If you can tell it’s a scam, close and delete the message without clicking on any links, buttons, or attachments. If you think it may be valid, then still close the email without clicking on anything and call the institution in question to ask.

  • Use an antivirus — It’ll block anything infected with malware and serve as your safety net. If malware gets past your eyes, it won’t get past your antivirus. Download Avast Free Antivirus and keep yourself protected 24/7.