We have an email address we use to handle all communications related to notifying the developers of WordPress plugins about security issues in their plugins (whether those are ones that we have found or ones that others have disclosed before they have been fixed). The email address isn’t publicly disclosed, so it shouldn’t receive email not related to those messages unless someone that had received communication from us either shared it with a third party intentionally or had their communication system breached. Not surprisingly, we don’t receive much in the way of emails not related to the intended use of the account. That made an email we received a few days ago stand out more.
The email’s subject was “WordPress Database Upgrade required !” and the body of the email was as follows:
What was obvious to us for a variety of reason was that this was a phishing email, but we weren’t aware of this phishing email being something out there, so did a little bit of looking into this.
The email itself seems to not all that well put together, seeing as, for example, it doesn’t even have a consistent capitalization of the words database or WordPress.
When clicking the “Click here to Upgrade WordPress” we were first taken to a website that just showed a “loading” message (which isn’t a WordPress thing):
From there it redirected us to a fake login page on another website:
The title of that page, “WordPress.com – upgarde”, in addition to misspelling the word upgrade, seems to indicate that this is targeted at logins for the WordPress.com service, not stand alone WordPress installs.
Both of the websites involved were legitimate websites running WordPress that must have been compromised somehow, though not necessarily through any security issue related to WordPress. We have notified both websites of the issue.
Once you enter username and password you are sent to this page:
Needing to enter either of those details when you just entered the username and ostensibly are on WordPress.com or your own website is something that would seem like it should be an indication that something is amiss.
Once you enter that information you are taken to the plans page for WordPress.com, which seems like further indication this intended to be targeted at WordPress.com accounts:
Interestingly while a quick search didn’t bring up any recent postings about this phishing email, we did find that a very similar precursor was written about nearly five years ago (that phishing email also was inconsistent with the capitalization of WordPress).