A phishing attack has been targeting Magento shop owners for the past 24 hours attempting to steal their login credentials.
A so-called customer sends a “Invalid order item” similar to the following one:
The link seems to point to the Magento shop, but in fact it redirects to a fake login page hosted at http://order1264.com/:
The order1264.com domain was registered on December 29th, the day the attack started:
$ whois order1264.com
Domain Name: ORDER1264.COM
Registry Domain ID: 2206000037_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.namesilo.com
Registrar URL: http://www.namesilo.com
Updated Date: 2017-12-29T11:45:54Z
Creation Date: 2017-12-29T11:38:11Z
Registry Expiry Date: 2018-12-29T11:38:11Z
Registrar: NameSilo, LLC
Registrar IANA ID: 1479
Registrar Abuse Contact Email: abuse@namesilo.com
Registrar Abuse Contact Phone: +1.4805240066
Domain Status: clientTransferProhibited
Name Server: NS1.ORDER1264.COM
Name Server: NS2.ORDER1264.COM