Sucuri came across a compromised website using the filename “wp-order.php” during an investigation.
This phishing page hosted what appeared to be a legitimate Magento 1.x login portal at the time of discovery. In support of this ruse, it loaded its CSS code and images from the malicious domain orderline[.]club.
In its analysis of the website, Sucuri found that the Magento phishing page was a bit unconventional in the method by which it exfiltrated its victims’ stolen data. As quoted in its research: