PSA: Wordfence Brand Being Actively Used in Phishing Campaigns
Earlier this week we became aware that malicious actors are using Wordfence brand image to run a phishing scam on WordPress and Wordfence users, posing as unknown login notifications from their own website while linking to a fake login page, clearly aiming to steal WordPress login credentials.
If you have received a suspicious email like this you may want to ensure it is legitimate by checking a couple of telltale signs:
- Wordfence notifications from your website will be sent from an email address matching your website (usually
- Messages sent through our mailing list are sent exclusively from firstname.lastname@example.org, and will display an unsubscribe link at the end of the message.
- Wordfence login notifications from your website are not signed by our CEO and founder, Mark Maunder.
This phishing campaign appears to be running via several custom domains, usually posing as Wordfence (or the Wordfence Team); for example:
- From: Wordfence <matteo.fish[@]germanrottweillerpuppies.net>
- From: Wordfence Team <jamir.bahhar[@]acmesecurityconcepts.com>
- From: Wordfence <thea.santana[@]iznacquisitions.com>
The most important thing to be aware of for WordPress site owners is that in this phishing campaign, the WordPress login link found in the email will not direct to their own site. We have seen these emails link to several legitimate, but vulnerable, websites as part of their campaign, using open redirect vulnerabilities to minimize the risk of being detected as spam/phishing messages by mail security software, as shown in the following screenshots:
The links in these emails typically point to
cruiseclubvacation[.]com in the samples we inspected. We have already notified both the vulnerable site owners (where possible) and/or reported the phishing campaign to the appropriate entities.
If you have received a message like this in the last few weeks, or suspect possible malicious activity against your website, we strongly recommend changing your WordPress password as soon as possible. Additionally, we recommend setting up Wordfence Login Security (also known as two-factor authentication) as additional protection.
Wordfence Login Security doesn’t even require a Wordfence Premium subscription – it comes standard with the free version of Wordfence, and is also available for download as a standalone plugin.
If you believe your site has been compromised via a phishing attempt or any other mechanism, we offer Incident Response services via Wordfence Care. If you need your site cleaned immediately, Wordfence Response offers the same service with 24/7/365 availability and a 1-hour response time. Both these products include hands-on support in case you need further assistance.
We have a comprehensive video about the 2FA setup process should you like to know more: