This section describes phishing that displays a fake Google login screen on a WordPress site.


Displays login screens for various services and steals users’ login IDs and passwords

Hacking and stealing login information by altering WordPress and sending the user to a different site (redirect), displaying a fake login screen for a fake company, and then stealing the user’s login information when the user mistakenly enters the wrong information is called This is called phishing.

Various phishing sites have been identified, but phishing is most often performed on the most popular services.

Google login screens and widgets
Microsoft login screens and widgets
Paypal login screens and widgets
Various foreign banks’ login screens (we have not confirmed any phishing sites for Japanese banks’ login screens at present)

Your website displays a login screen that you do not remember creating.

If your website displays a login screen for a well-known service that you do not remember creating, it is possible that your site has been tampered with.

If a visitor to your site enters his or her login information on this fake login screen, the ID and password could be sent to hackers and the user could be seriously harmed.

Embedding such a fake login screen is easy for hackers because they can simply copy the HTML code or image and make it look exactly the same as the legitimate screen.
To tell if a site is a phishing site, it is important to look at the URL of the site you are currently accessing or to basically not trust the login widget if it appears on another site that you do not trust, such as Google.

Detecting Phishing Malicious Code

If your site embeds a fake login screen or sends users to an unauthorized site that hosts a fake login screen, there may be malicious code embedded in your company’s site.
This code can be cleverly hidden deep down or obfuscated to make the code difficult to read, making it very hard to find. index.php (in the top WordPress directory or in the theme).

Example of obfuscated code

*See also the following for files most likely to be tampered with
10 files in which malformed JAVASCRIPT code is embedded when WordPress is tampered with

This kind of unauthorized tampering can be detected and removed by security plug-ins.

If detection and disinfection is difficult, we also recommend that you contact a technician with expertise in the field.

Related Posts:

  1. Malware that displays a fake WordPress login screen and steals login information
    Recently, malware that alters the JAVASCRIPT file of WordPress and uses it as a parasite to display a fake login screen and steal login information has been spreading....
  2. WordPress malware, heck.php showing fake Google login screen
    Recently, many websites have been defaced to display fake Google login screens, and we will provide examples and explanations of these defacements....
  3. WordPress malware Redirect to fake login page
    Recently, there have been an increasing number of cases of malware that direct users to a new type of fake login page. We will explain this malware....
  4. WordPress Rarely, a redirect hack that sends the site to another site only from Google search results.
    This section describes a redirect hack that forces WordPress to go to a different rogue site only in rare cases (some patterns say only on smartphones) when jumping from search engine results, and explains how to deal with it....
  5. Types of malware infecting WordPress
    The types of malware that can infect WordPress will be explained, including viruses, worms, spyware, adware, Trojan horses, ransomware, phishing, SEO spam, etc....
  6. What to do when a WordPress site displays a red screen saying “This site may cause damage to your computer.
    This section explains how site operators can deal with a red screen on a WordPress site that says “This site may cause damage to your computer....