Earlier this week we became aware that malicious actors are using Wordfence brand image to run a phishing scam on WordPress and Wordfence users, posing as unknown login notifications from their own website while linking to a fake login page, clearly aiming to steal WordPress login credentials.
If you have received a suspicious email like this you may want to ensure it is legitimate by checking a couple of telltale signs:
- Wordfence notifications from your website will be sent from an email address matching your website (usually
- Messages sent through our mailing list are sent exclusively from firstname.lastname@example.org, and will display an unsubscribe link at the end of the message.
- Wordfence login notifications from your website are not signed by our CEO and founder, Mark Maunder.
This phishing campaign appears to be running via several custom domains, usually posing as Wordfence (or the Wordfence Team); for example:
- From: Wordfence <matteo.fish[@]germanrottweillerpuppies.net>
- From: Wordfence Team <jamir.bahhar[@]acmesecurityconcepts.com>
- From: Wordfence <thea.santana[@]iznacquisitions.com>
The most important thing to be aware of for WordPress site owners is that in this phishing campaign, the WordPress login link found in the email will not direct to their own site. We have seen these emails link to several legitimate, but vulnerable, websites as part of their campaign, using open redirect vulnerabilities to minimize the risk of being detected as spam/phishing messages by mail security software.
Source and more details: https://www.wordfence.com/blog/2023/07/psa-wordfence-brand-being-actively-used-in-phishing-campaigns