A phishing campaign using sponsored Google search results targets login credentials for GoDaddy's ManageWP platform, which allows centralized management of multiple WordPress websites. The threat actor employs an adversary-in-the-middle approach where a fake login page acts as a real-time proxy to the legitimate ManageWP service. Sponsored results for the "managewp" query appear above genuine links, tricking users into clicking malicious ads.
Victims who enter credentials on the fraudulent login page have their information delivered to an attacker-controlled Telegram channel. The attacker then logs into the real ManageWP platform in real time and presents victims with a fake two-factor authentication prompt, capturing the 2FA code to complete account takeover. Guardio Labs researcher Nati Tal notes that each compromised ManageWP account typically controls hundreds of websites, with the platform's plugin active on over one million sites according to WordPress.org.
The phishing framework appears to be a private, operator-driven system rather than a commodity kit, featuring an interactive dropdown command system. Embedded Russian-language code includes a disclaimer denying responsibility for illegal activity, prohibiting use against Russian systems, and claiming educational or research purposes. Guardio Labs has identified 200 unique victims and has begun notifying affected users. Website owners and agencies using ManageWP should avoid relying on search results for login URLs and instead bookmark the official address directly.
Read more...