A phishing attack has been targeting Magento shop owners for the past 24 hours attempting to steal their login credentials.
A so-called customer sends a “Invalid order item” similar to the following one:
The link seems to point to the Magento shop, but in fact it redirects to a fake login page hosted at
order1264.com domain was registered on December 29th, the day the attack started:
$ whois order1264.com Domain Name: ORDER1264.COM Registry Domain ID: 2206000037_DOMAIN_COM-VRSN Registrar WHOIS Server: whois.namesilo.com Registrar URL: http://www.namesilo.com Updated Date: 2017-12-29T11:45:54Z Creation Date: 2017-12-29T11:38:11Z Registry Expiry Date: 2018-12-29T11:38:11Z Registrar: NameSilo, LLC Registrar IANA ID: 1479 Registrar Abuse Contact Email: firstname.lastname@example.org Registrar Abuse Contact Phone: +1.4805240066 Domain Status: clientTransferProhibited Name Server: NS1.ORDER1264.COM Name Server: NS2.ORDER1264.COM