A cybersecurity investigation has revealed a phishing campaign targeting WordPress users with fraudulent emails claiming imminent domain renewal deadlines. These emails are designed to create a sense of urgency, prompting victims to take immediate action to avoid service disruption. The communication mimics the look and feel of legitimate correspondence from http://WordPress.com, which lends it an air of authenticity. Upon clicking the links in these emails, victims are redirected to a counterfeit payment portal that is hosted on servers controlled by the attackers. This site is used primarily for capturing sensitive financial information, specifically credit card details and 3-D Secure One-Time Passwords (OTPs). The theft of this information is executed through a covert data exfiltration method, where the gathered credentials are sent to the attackers via the messaging platform Telegram.