Hackers abuse Google ads for GoDaddy ManageWP login phishing
Source: Bleeping Computer
Overview
A phishing campaign delivered through Google sponsored search results is targeting credentials for ManageWP, GoDaddy’s platform for managing fleets of WordPress websites. The threat actor uses an adversary‑in‑the‑middle (AiTM) approach where the fake login page acts as a real‑time proxy between the victim and the legitimate ManageWP service.
ManageWP is a centralized remote administration platform for WordPress sites, allowing users—such as web developers, agencies, and enterprises—to manage multiple sites from a single panel instead of logging into separate dashboards.
Attack Vector
Researchers at Guardio Labs observed that the malicious search result is displayed above the legitimate one for the managewp query, luring users who rely on Google to find the login URL.
Source: Guardio Labs
Phishing Mechanics
- Users clicking the malicious result are taken to a login page that looks identical to the real ManageWP login page.
- Credentials entered are immediately forwarded to a Telegram channel controlled by the attacker.
- Unlike typical credential‑stealing pages, the attacker runs a live AiTM setup, using the captured credentials to log into the real platform in real time.
- After the initial login, the victim is presented with a fake prompt for the two‑factor authentication (2FA) code, which the attacker then uses to gain full access to the ManageWP account.
Impact
- Each ManageWP account typically hosts hundreds of sites.
- According to WordPress.org statistics, the ManageWP plugin is active on more than 1 million websites: .
- Guardio Labs has identified 200 unique victims at the time of writing and is contacting them to alert them about the exposure.
Infrastructure
Guardio Labs infiltrated the attacker’s command‑and‑control (C2) infrastructure and observed a dropdown command system that enables an interactive, operator‑driven phishing flow.
Source: Guardio Labs
The platform does not appear to be part of a commodity phishing kit; rather, it seems to be a private phishing framework. Embedded in the code is a Russian‑language agreement that:
- Denies responsibility for illegal activity.
- Includes an educational/research use disclaimer.
- Prohibits public leaks of panel files or use against Russia‑based systems.