Attackers are using Wordfence branding to conduct phishign campaigns. Find out how to spot fake emails
Wordfence-Logo.png (
https://email.wordfence.com/e3t/Ctc/GC+113/cwG7R04/VWxPc-10VzZ3W8y16Yq1YtR4LW39GxQ751x29NN6L2Zqy3kWDcV1-WJV7CgBbKW8JzH0T7ZJQyLVXr1y737jcnvW5Nms6G8200kXW6HR9L-3M7cjjV_LtyJ1g253gW9lQSQJ38J156VDRtc76fDtFcW6YmKJ51tp4KQW1JyWK_3pxtqBW2s1Ldc5M_kxcW8XRF_z4s3FklW5p6jRy8w5SJvVZK-mH2PVwttW3vMRt-4LJ9DCW6pYmzb3dv-VWN55B_7GxWT_d3lzq1 )
FeaturedImage_Wordfence_25.02 (
https://email.wordfence.com/e3t/Ctc/GC+113/cwG7R04/VWxPc-10VzZ3W8y16Yq1YtR4LW39GxQ751x29NN6L2Zs13kWFJV1-WJV7CgJYyW3szsPp57LDCRW8zt6jN7m_9HGV-JFXc3_0t9dW7yWjPX1DY00XW3yhsh36Rz3zgVTSfHv2T9FwvW4284428fyW5cW6JP2SC35Tj0CW7XjBfb8tpxY9W7-YDHN9d-7dJW3HWKmp99HkXtVYT6FG7Br_cYW2-25LP6H0YMfW8jrpXx8RqMq4W2cXSct2tTbgyW2V-S566yDT2VW4_fFj27268qRW5ymC7293Hp2qVgcN8T7lq2l4W438FKk25wfJdW8C5HkL4hVzBbW5YK-kX1nnHvDVbmxgH5Z4vl4N6y6nLdwmrhcW6y6-PN85p2jLW6qmDj74gXQc53cKp1 )
Earlier this week we became aware that malicious actors are using Wordfence brand image to run a phishing scam on WordPress and Wordfence users, posing as unknown login notifications from their own website while linking to a fake login page, clearly aiming to steal WordPress login credentials.
READ THIS POST ON THE BLOG
(
https://email.wordfence.com/e3t/Ctc/GC+113/cwG7R04/VWxPc-10VzZ3W8y16Yq1YtR4LW39GxQ751x29NN6L2Zs13kWFJV1-WJV7CgJYyW3szsPp57LDCRW8zt6jN7m_9HGV-JFXc3_0t9dW7yWjPX1DY00XW3yhsh36Rz3zgVTSfHv2T9FwvW4284428fyW5cW6JP2SC35Tj0CW7XjBfb8tpxY9W7-YDHN9d-7dJW3HWKmp99HkXtVYT6FG7Br_cYW2-25LP6H0YMfW8jrpXx8RqMq4W2cXSct2tTbgyW2V-S566yDT2VW4_fFj27268qRW5ymC7293Hp2qVgcN8T7lq2l4W438FKk25wfJdW8C5HkL4hVzBbW5YK-kX1nnHvDVbmxgH5Z4vl4N6y6nLdwmrhcW6y6-PN85p2jLW6qmDj74gXQc53cKp1 )
wf-phish-mail (
https://email.wordfence.com/e3t/Ctc/GC+113/cwG7R04/VWxPc-10VzZ3W8y16Yq1YtR4LW39GxQ751x29NN6L2Zs13kWFJV1-WJV7CgJYyW3szsPp57LDCRW8zt6jN7m_9HGV-JFXc3_0t9dW7yWjPX1DY00XW3yhsh36Rz3zgVTSfHv2T9FwvW4284428fyW5cW6JP2SC35Tj0CW7XjBfb8tpxY9W7-YDHN9d-7dJW3HWKmp99HkXtVYT6FG7Br_cYW2-25LP6H0YMfW8jrpXx8RqMq4W2cXSct2tTbgyW2V-S566yDT2VW4_fFj27268qRW5ymC7293Hp2qVgcN8T7lq2l4W438FKk25wfJdW8C5HkL4hVzBbW5YK-kX1nnHvDVbmxgH5Z4vl4N6y6nLdwmrhcW6y6-PN85p2jLW6qmDj74gXQc53cKp1 )
If you have received a suspicious email like this you may want to ensure it is legitimate by checking a couple of telltale signs:
- Wordfence notifications from your website will be sent from an email address matching your website (usually wordfence[_at_]your-website-domain).
- Messages sent through our mailing list are sent exclusively from list_at_wordfence.com, and will display an unsubscribe link at the end of the message.
- Wordfence login notifications from your website are not signed by our CEO and founder, Mark Maunder.
Details
This phishing campaign appears to be running via several custom domains, usually posing as Wordfence (or the Wordfence Team); for example:
- From: Wordfence <matteo.fish[_at_]germanrottweillerpuppies.net>
- From: Wordfence Team <jamir.bahhar[_at_]acmesecurityconcepts.com>
- From: Wordfence <thea.santana[_at_]iznacquisitions.com>
The most important thing to be aware of for WordPress site owners is that in this phishing campaign, the WordPress login link found in the email will not direct to their own site. We have seen these emails link to several legitimate, but vulnerable, websites as part of their campaign, using open redirect vulnerabilities to minimize the risk of being detected as spam/phishing messages by mail security software, as shown in the following screenshots.
The links in these emails typically point to cruiseclubvacation[.]com in the samples we inspected. We have already notified both the vulnerable site owners (where possible) and/or reported the phishing campaign to the appropriate entities.
Conclusion
If you have received a message like this in the last few weeks, or suspect possible malicious activity against your website, we strongly recommend changing your WordPress password as soon as possible. Additionally, we recommend setting up Wordfence Login Security (also known as two-factor authentication) as additional protection.
Wordfence Login Security doesn’t even require a Wordfence Premium (
https://email.wordfence.com/e3t/Ctc/GC+113/cwG7R04/VWxPc-10VzZ3W8y16Yq1YtR4LW39GxQ751x29NN6L2Zr73kWDQV1-WJV7CgKpdVvJkT74STgsqN55RTxQfJVzpW5hTzgk1S3YDtW5RMpWN6_7kj6W92DVn88bHdK-W7NDfxC1CT3cfW1PPG5Z4TS5wtVvGb50587zY2W5jcYcr15H-JSW4n4XVr1ljxVTW1LZRwW5g2cB3W4jWTwK1C0CxnW1HNQml2j1rywW1MwJz46FBjZGW8rNmM-8l9grwW9669xb5mlRVtW45Z0j13zSFh8W12T0q-8dvhQGW7vPmnC2qVFN_W93w1lJ43Mtsx3g501 ) subscription – it comes standard with the free version of Wordfence, and is also available for download as a standalone plugin (
https://email.wordfence.com/e3t/Ctc/GC+113/cwG7R04/VWxPc-10VzZ3W8y16Yq1YtR4LW39GxQ751x29NN6L2Zr73kWDQV1-WJV7CgZ0qV-mlRj4DLp-cW7hNhQL5597xFTmGqr70_6PlW2QH1z67YcTl_W2mv85S35Y1-wW2DXDvf6HLpppN13ChwpcTqSkV2f4Rd3Ns2Q9W7lyPbM6WTM5jW6wpJNk1_RWZgW1ZCTgB52DRr9W772R_B4dgHVXW2LvbfN8c4s3bW5x4bHp5sKgCGW25Wrft6XgVMcW4pTtwd6XQ_N9W4kNKZm8SDfQqW8lzGHc3kRZqbW3xV0Vp3hXGF4W62n0DQ37sz_j3fSb1 ) .
If you believe your site has been compromised via a phishing attempt or any other mechanism, we offer Incident Response services via Wordfence Care (
https://email.wordfence.com/e3t/Ctc/GC+113/cwG7R04/VWxPc-10VzZ3W8y16Yq1YtR4LW39GxQ751x29NN6L2Zr73kWDQV1-WJV7CgPT7N6psSLq5jrqZVzxN604sNH-8VrlKZF56vvPSW36hlPB77fbYwN30_TTxjdkQMW6fwhPQ3ZswGXW4xLh6z4mbyD_W1YPGyR4Q4j3bW8FSh1B6n7L4XW7czcdP1LN2cQN7MZH9sSFN2BW74pMw43qlX17N6Ngxmqqs_J7W3rMl362NpFrsW43_0Yp6T_qmRW4q1lzG8wM03qW2ZnpDV7-KPQ0N91xbDzbxNknW56RhJL9cnmdzN15kvZXbfYL731w81 ) . If you need your site cleaned immediately, Wordfence Response (
https://email.wordfence.com/e3t/Ctc/GC+113/cwG7R04/VWxPc-10VzZ3W8y16Yq1YtR4LW39GxQ751x29NN6L2Zr73kWDQV1-WJV7CgPXtW3Cjj42758wlvW5QqwvM4hSVMBW5gHPGq1KnLYQW45bCDv1Wr2p6W59b5vB53kljYW785wdb4zlzRrW4f1Npl66McZCW69w_Bd8xvnV1W58kVWg31XcS5N8JMm0SxmsPhVS07828wFlfWW45q5wm28lz8kW3C8dsX5RsWgtN8Y_rJRgmKMSW1KLPRr2bbwwsW77JtVZ92YsFcW5j00492m_cjFW6q3j-G3jdNNGW8pBPXh8JG7z7W2xdT_N5dlkJY3hZW1 ) offers the same service with 24/7/365 availability and a 1-hour response time. Both these products include hands-on support in case you need further assistance.
We have a comprehensive video about the 2FA setup process should you like to know more:
Get started with Wordfence Login Security to secure your WordPress login (
https://email.wordfence.com/e3t/Ctc/GC+113/cwG7R04/VWxPc-10VzZ3W8y16Yq1YtR4LW39GxQ751x29NN6L2Zr73kWDQV1-WJV7CgBwvW1DHPtz7FLVvLW7wdrsr8rppChW8hk7cH8TqfBXVJsZ5g68ndSWW5yKjLJ7fQXWMW3tt7467J7TF8N1m6R2sRPqcYW4_Zcln3_W0V0W2XyhkW4qSs8yVtMcDG1Tzs88W2HHNnC8sbpj4W5KyND953J8bhW1MRrBv3QSMpZW4NPl6342ZbjRW2YnMbF5VgT86W3gW52Y5DqmN1T5Z-C7LgMKdV92ksD8f83phW296wmh1yp1tjW6wfwvx63-kKm3gxh1 )
The Full Product Lineup:
wf-stacked-free-1 (
https://email.wordfence.com/e3t/Ctc/GC+113/cwG7R04/VWxPc-10VzZ3W8y16Yq1YtR4LW39GxQ751x29NN6L2Zr73kWDQV1-WJV7CgPSdW6_ybk34rQXkBW7jSLyy5VfgrBVp-lMK1B_SHjW4BzPSk1sl5K8W4-n_V-4sjHqRV9XQ6Z8SBHHFW36tDhr8JnQR8W8Kd3RR8B1sRZW7Dg-hY2rNkQHW8ynSwr7fxntjW2Zw2T62TzyqHW54pcxD51rT8TW7wcvvL6b4f5WW3w56xp7XxC1xW66rqHV1bRMD6W3zRyZf5RH0s2W61gl3-6z4tS0W6hCBHT5M5rrsN7kvpYmdltFZW9l2RWW2ZYdQx3lfC1 )
wf-stacked-premium-1 (
https://email.wordfence.com/e3t/Ctc/GC+113/cwG7R04/VWxPc-10VzZ3W8y16Yq1YtR4LW39GxQ751x29NN6L2Zr73kWDQV1-WJV7CgHlnW3VRMBN505ktZV6VZFf1wtSNGW5D6LSh4D2qLjW7h2JFR4Tqw3fW7zzsJk2n-81fW4B_xCK1MLwLGW6wYYL933MLGMW8sN4zM6Zx6xQW5sJL6R4vst2BW2qM-0L2SZ85fVvZ4pq27Jmk7W3t9SZ21Xyw-lW2bvkTt7RTkfbW83zbvY61MDYqW6y6h3X4cZj9MW4gjRgr5x1-t0W5KJLrX4kM42HW7KYGcZ6HxrRKW583NGZ1HkfxnW8QZHYR4_80nN3hyM1 )
wf-stacked-care-3 (
https://email.wordfence.com/e3t/Ctc/GC+113/cwG7R04/VWxPc-10VzZ3W8y16Yq1YtR4LW39GxQ751x29NN6L2Zr73kWDQV1-WJV7CgZ5MMzGKQVqDxCBW8Tf6h_2kr12GW3Nzq5H2RWc74VHfnJC2dSFdWW1wmW1q4-3cGCW1yZXWf7tynDkN28nvf5H6kBPW4TYdXk6rwS3sW1jg6qY2H3gwDW7YFv9l2rLPYZW16xT3k8zgL29W5BTmpL8l0FLkW5k4MNQ8SJ7tGW5913jX7b0dH3W6_hVGt6FdQ1WW7D0wG_4D84PWW1ccWW64q3hNMVh_rn-7rxG1FW7cDN1R3vJm3sN4ycxsFK8ZfR3qpD1 )
wf-stacked-response-2 (
https://email.wordfence.com/e3t/Ctc/GC+113/cwG7R04/VWxPc-10VzZ3W8y16Yq1YtR4LW39GxQ751x29NN6L2Zr73kWDQV1-WJV7CgPXtW3Cjj42758wlvW5QqwvM4hSVMBW5gHPGq1KnLYQW45bCDv1Wr2p6W59b5vB53kljYW785wdb4zlzRrW4f1Npl66McZCW69w_Bd8xvnV1W58kVWg31XcS5N8JMm0SxmsPhVS07828wFlfWW45q5wm28lz8kW3C8dsX5RsWgtN8Y_rJRgmKMSW1KLPRr2bbwwsW77JtVZ92YsFcW5j00492m_cjFW6q3j-G3jdNNGW8pBPXh8JG7z7W2xdT_N5dlkJY3hZW1 )
wf-logo-intelligence-h-800 (
https://email.wordfence.com/e3t/Ctc/GC+113/cwG7R04/VWxPc-10VzZ3W8y16Yq1YtR4LW39GxQ751x29NN6L2ZqS3kWDwV1-WJV7CgZQkW71FZK_1kkp1-Mtg44gX7_5QN73zqP2RKwm7W9dpnYm6k5RBNW7Pf88-97m7GRW3Vx8N18HXPB8W3NSVYB4xYQV4W6VsVKP4LKBjVW7BK9Nc13--NqW3lGk7m1Sjx_fW5Rspt87JHg1QW7NfjRb4r6-57W4Fgk-Y8XBBCgW4NZhrX1hPG8dW3XVZLt6mhMgVW34SgkX9jlL8RW4ZZZHQ93MS-mW6bgqS71NMh0l3dpX1 )
logo-defiant (
https://email.wordfence.com/e3t/Ctc/GC+113/cwG7R04/VWxPc-10VzZ3W8y16Yq1YtR4LW39GxQ751x29NN6L2Zqy3kWDcV1-WJV7CgRg2W8C3W2p5DC22FW4zplnb2M9VgfW6m02JL2fpmKGVKlr0-4LcftVW58sp7J5Gb39sN8pf8TPLv5MkN7mq7LtkTHxFW4Q7CMy1N1726W2hKl9q71gf4lVzFps34x7JvQW1Kjmt_6g4RP_W53cH8294gT_6W3Y5bMq24vkt4W7bqlvQ4HYCRGW4pCLjZ7twVt1W4jh_Pc7FmJ9x31wm1 )
Defiant, Inc., 1700 Westlake Ave N STE 200, Seattle, WA 98109, United States
Unsubscribe (
https://email.wordfence.com/hs/manage-preferences/unsubscribe-all?languagePreference=en&d=Vn9bTK892TtnVsxx1M3JN_XyW41Rcn-4h29fmN6J4V3XmWFfDW5cm5v77gBNhkV25BCr8HFLDDN5_zCv5WP1F5N8p0VcnXk_7QVbw9m06FRfTvW6BRBLl9gR-V0w13XRgr2Cg2&v=3&_hsenc=p2ANqtz-8aEIwmisMOtqlUpyDn3cajvxxu_34axX1npjDnDRe9KfMlXQEWTtVmHMmvQlEw9_xJIrdgkhuv06MA8erWH9153a-ynw&_hsmi=268141427 )
Manage preferences (
https://email.wordfence.com/hs/manage-preferences/unsubscribe?languagePreference=en&d=Vn9bTK892TtnVsxx1M3JN_XyW41Rcn-4h29fmN6J4V3XmWFfDW5cm5v77gBNhkV25BCr8HFLDDN5_zCv5WP1F5N8p0VcnXk_7QVbw9m06FRfTvW6BRBLl9gR-V0w13XRgr2Cg2&v=3&_hsenc=p2ANqtz-8aEIwmisMOtqlUpyDn3cajvxxu_34axX1npjDnDRe9KfMlXQEWTtVmHMmvQlEw9_xJIrdgkhuv06MA8erWH9153a-ynw&_hsmi=268141427 )
You're receiving this email because you signed up to the Wordfence WordPress security mailing list.
Received on Fri Jul 28 2023 - 15:20:56 CEST