During a recent investigation, a Magento admin login phishing page was found on a compromised website using the file name wp-order.php. This is an odd file name choice for a Magento phishing page, but nevertheless it successfully loads a legitimate looking Magento 1.x login page.
What is not immediately visible or apparent to victims, however, is that the page elements like the images and CSS structure are almost all loaded from a malicious domain — orderline[.]club:
Harvesting Magento Login Credentials
For stolen data exfiltration, the phishing page uses a technique that doesn’t require a separate PHP file or rely on PHP functions to send out an email to the attacker, which is what we often find for exfiltration on phishing pages like this.