Shopping Online? Beware this New Phishing Scam

Two credit cardsA nasty new phishing scam has been revealed by Sucuri in an article posted this week: legitimate e-commerce sites are being hacked and a re-direct inserted into the checkout page.

This redirect takes buyers to a fake checkout page, from where the hackers steal the buyer’s credit card details, or PayPal email, and the website owner loses the sale.

It’s currently hard for webmasters to detect this hack because regular malware scanning does not normally include checkout pages. In order to do so, the scanners would need to access the checkout page, and to do that they would need to place an order, which they generally do not do.

It’s also easy for online shoppers to become victims, because the phishers have inserted themselves into a process that you’re actually expecting to follow.

Protection measures

Website owners

The only way, therefore, that website owners can identify this hack is to have unauthorised-file-change warnings set up on your site. For WordPress users this is a setting that’s available in iThemes Security, iThemes Security Pro and Wordfence.

This will alert you to the re-direct that has been inserted into your checkout page so you can take corrective actions quickly.

It goes without saying that if you’re operating a WordPress e-commerce site (often by using Woo Commerce) your site should be using SSL (Secure Sockets Layer) at least on the checkout pages, but preferably across the entire site. Your web address then becomes https://, rather than http://

You also need to manage your site with a security first mindset.

That means strictly controlling users who have administrator rights to the site. Not just disciplined management of the number of users, but the enforcement of strong passwords, the use of usernames that are not obvious, the enforcement of regular password changes and the use of 2-factor authentication.

Where you need a developer to access your site to make changes, they would normally need an Administrator level access. You should set this up specifically for them so they can do the work and then delete the account as soon the work has been done. This is as much for their protection as yours.

You definitely should not be emailing Administrator user login details around the place!

In general, you want as few Administrator level user accounts as possible, and you should carefully manage those that exist.

Online shoppers

For online shoppers this scam is particularly dangerous because your mind is focused on the purchase you are about to make.

The phishers have inserted themselves into a process where you’re expecting to submit your financial and personal details, rather than the traditional phishing scams where they interrupt your activity and ask you to click a link.

As a result, you’re not surprised when you arrive at a checkout page – you’re expecting it.

The problem is that it’s the wrong checkout page.

To protect yourself always check the website address in the browser address bar.

The domain name should be either that of the site on which you chose your articles or the name of the payment gateway that you chose (,, etc.).

If the domain name in the browser address bar is anything other than one you’re expecting do not proceed!

If you’re in any doubt you can always contact the website owner through their contact page – better to do this, and wait an extra day for your goods, than to have your credit card details or PayPal email address stolen by the hackers.


This evolution of the phishing scam is just another example of the ever increasing flow of new online security threats. We all need to be eternally vigilant in our online activities and it is encumbent upon website owners to take overall website security extremely seriously.

If you don’t, you’re enabling the hackers and phishers to do their nasty work and thereby causing frustration and loss to the online community.

If you would like to talk to us about managing security on your WordPress website please:


Martin Malden

About the author: Martin Malden owns Abledragon, a WordPress agency that was established in 2009. Today it serves customers in Hong Kong, Australia and the UK. Abledragon websites are built for today’s Internet, with the mobile user in mind, and are known for security and speed. Successful Abledragon projects.