Inside FluxPanel: How Phishing Enables Real-Time Ecommerce Checkout Hijacks

While online shoppers think they're safely completing purchases on legitimate ecommerce sites, cybercriminals are watching every keystroke, capturing credit cards and personal data in real time through a sophisticated new phishing-as-a-service kit called FluxPanel.

Recently surfaced by Abnormal AI researchers, FluxPanel turns legitimate WordPress stores into live data theft operations. It combines a malicious plugin with a centralized attacker dashboard, making it easy to embed into ecommerce sites without detection.

Unlike traditional phishing pages that redirect victims to fake sites, FluxPanel, which has been advertised on dark web forums by a user known as “hologram,” operates directly within compromised stores' checkout flows, blurring the line between legitimate transactions and theft. Its focus on ecommerce, combined with support for advanced 3D Secure features, makes it a serious threat to online retailers.

The Attack Interface and Target Engagement

FluxPanel offers a single web interface where attackers can deploy fake payment pages, monitor targets in real time, and collect large volumes of sensitive data. Although the damage occurs during checkout, the attack often begins with an email.

Phishing messages trick store admins into installing the malicious plugin or lure shoppers to convincing fake storefronts. These emails might reference a payment issue, shipping update, or new order—anything to prompt a click. That initial interaction pulls targets into the FluxPanel-controlled flow.

Real-Time Session Monitoring

FluxPanel’s web dashboard immediately displays any active session the moment a target accesses a compromised checkout. The panel shows the customer’s captured details (i.e., name, shipping address, email, phone number), device/browser information, IP, and other context—all in real time.

The demo screenshot below shows an active session labeled “Donald Atkins,” with his full personal information on the left panel and a live view of the store’s order confirmation page on the right. This confirms the panel captures exactly what the customer sees at checkout (i.e., items, prices, totals) while logging it on the attacker’s side.

Interactive Attack Control

As the target enters data, FluxPanel tracks each step in a live log. It notes when 3DS prompts, SMS pop-ups, or other verification screens appear and allows the attacker to issue commands to steer the session outcome on the fly. In one captured session, the log shows “SMS popup opened” followed by “Command 'approve_transaction' dispatched.”

The target’s browser, however, displayed the normal “Order Complete” page. This demonstrates how attackers capture OTPs and approve payments, using real-time 3DS codes to silently complete fraudulent transactions.

Data Harvesting and Credential Theft

Real-time Data Capture. The panel automatically captures all customer inputs as they’re entered, including full credit card details (e.g., number, expiry, CVV), personal information (e.g., name, address, phone, email), and device details (e.g., browser, OS, IP, timezone).

3D Secure (3DS)/One-Time Password (OTP) Manipulation. FluxPanel can inject and intercept 3DS verification steps, presenting fake verification pop-ups (such as OTP requests) and logging responses. Once the code is captured, the attacker can complete the payment.

OTP/SMS/Push Flows. In addition to standard SMS OTP interception, FluxPanel supports custom push notifications and app-based verification flows, allowing attackers to open fake SMS or push notification dialogs to harvest codes sent to targets’ devices.

Payment Capture (Card and PayPal). FluxPanel captures full credit card details (including CVV) and PayPal payments, potentially directing PayPal users to a fake login form to harvest credentials.

Realism and Deception Tactics

BIN Verification and Targeting. A built-in BIN (Bank Identification Number) checker identifies the card’s issuing bank and country, enabling bank-specific branding in the phishing flow. For example, FluxPanel can serve a Bank of America–style 3DS page to a BoA cardholder, making the scam more convincing.

Auto-Response Email. After collecting payment details (and potentially completing the real charge), FluxPanel can automatically send a confirmation email to the target that mimics the store’s normal receipt. Combined with email as a likely entry point for both shoppers and admins, this creates a full-loop attack that begins and ends in the inbox—reinforcing trust while masking the theft.

Success Redirect. If the attacker takes no further action, FluxPanel redirects targets to the store’s normal “Thank You” or order completion page, ensuring the target’s experience aligns with expectations and minimizing suspicion.

A rather interesting aspect of FluxPanel is its accompanying WordPress plugin, which installs the phishing kit directly into a target site’s checkout flow. The vendor claims the plugin hooks into any WordPress ecommerce platform.

While we have not examined the plugin code, its functionality can be inferred: it intercepts the checkout process and replaces it with the attacker-controlled workflow.

In practice, an attacker who gains admin access to a WordPress store could install this plugin and configure it to point to their FluxPanel server. In many cases, that access may be gained through credential phishing, often delivered via fake admin alerts or order notifications sent through email.

Any WordPress site using an ecommerce plugin could be targeted, completely unaware that their legitimate checkout page has been transformed into a live phishing page. A store owner who sees the normal order confirmation or receives a routine email will have little clue that the checkout was hijacked.

FluxPanel's attack lifecycle reveals why comprehensive email security is essential for protecting ecommerce operations. The threat operates as a full-loop attack that begins and ends in the inbox, creating multiple opportunities for email-based intervention.

Initial Compromise

FluxPanel attacks typically start with credential phishing campaigns targeting WordPress store administrators. These emails—often disguised as fake admin alerts or order notifications—steal the access credentials needed to install the malicious plugin. Once installed, the plugin immediately begins intercepting all customer checkout data.

Data Harvesting

Beyond capturing payment information, FluxPanel logs comprehensive customer details including names, shipping addresses, emails, phone numbers, and complete purchase histories. This creates a valuable dataset for future attacks. Armed with detailed customer information and transaction histories, cybercriminals can launch convincing secondary attacks against both the compromised customers and the business itself.

Attack Reinforcement

FluxPanel automatically generates legitimate-looking order confirmations that mask the theft from both customers and store owners. These convincing emails help the attack operate undetected while building a foundation for follow-up campaigns.

Email security systems must be advanced enough to identify subtle anomalies in legitimate-seeming messages that might indicate an ongoing attack—a challenge that requires AI-powered behavioral analysis to distinguish between legitimate and malicious automated emails.

FluxPanel represents a new paradigm in ecommerce threats—one where the line between genuine transactions and theft disappears entirely. As this phishing-as-a-service kit gains traction among cybercriminals, WordPress store owners face a serious challenge: attacks that can't be detected by traditional security measures because they operate within legitimate checkout flows.

The solution lies in prevention. Since FluxPanel depends on email-based initial compromise and legitimacy reinforcement to avoid detection, behavioral AI-based email security can disrupt the attack at multiple critical points. Organizations that implement AI-powered email security now can protect their customers, preserve their reputation, and prevent their platforms from becoming vectors for cybercrime.

Don't wait for FluxPanel to reach your checkout flow. See how behavioral AI stops these threats at their source.

See for yourself how Abnormal AI provides comprehensive email protection against attacks that exploit human behavior. Schedule a demo today.