I've received the following email from Google about one of the sites on our server. I wonder if anyone can confirm if this is legitimate and also what the most likely sources of such an attack would be. Is it insecure scripts such as Wordpress?
Dear site owner or webmaster of domain.com,
We recently discovered that some pages on your site look like a probable phishing attack, in which users are encouraged to give up sensitive information such as login credentials or banking information. We have begun showing a warning page to users who visit this site in certain browsers that receive anti-phishing data from Google, as well as users redirected to this site from various Google properties.
Below are one or more example URLs on your site which appear to be part of a phishing attack:
We strongly encourage you to investigate this immediately to protect users who are being directed to a suspected phishing attack being hosted on your web site. Although some sites intentionally host such attacks, in many cases the webmaster is unaware because:
1) the site was compromised
2) the site doesn't monitor for malicious user-contributed content
If your site was compromised, it's important to not only remove the content involved in the phishing attack, but to also identify and fix the vulnerability that enabled such content to be placed on your site. We suggest contacting your hosting provider if you are unsure of how to proceed.
Once you've secured your site, and removed the content involved in the suspected phishing attack, or if you believe we have made an error and this is not actually a phishing attack, you can request that the warning be removed by visiting http://sb.google.com/safebrowsing/report_error/
and reporting an "incorrect forgery alert." We will review this request and take the appropriate actions.
If they send it to the address in the whois info, probably it is legitimate. As I cannot see phishing URL's in the email.
Probably your user's page triggered a phishing alert.
Since they are displaying Phishing alert when someone tries to access the page, they are letting you know out of courtesy.
Cannot be sure without seeing the headers though.