06.05.2026
4 min
169
Cybercriminals have launched a new phishing campaign that uses Google ads to hijack GoDaddy and ManageWP user accounts. People search for a login panel to manage their sites, click on the ad, and are taken to fake pages that look almost identical to the real thing.
Cybercriminals are conducting an AiTM campaign using Google Ads as well as a Man in the Middle (MITM) scheme to capture ManageWP credentials and 2 factor authentication (A/T/F) codes. Users of ManageWP are being targeted by the attackers because they use it to manage their WordPress websites centrally.
According to researchers at Guardio Labs, if you search “managewp” in google, a fake advertisement will appear first and be placed above the real ManageWP website. Most people find the login URL by typing it into the Google search bar; therefore, many users clicking on this fake link will see what appears to be an exact replica of the log in screen for the ManageWP central dashboard.
Unlike traditional phishing websites that collect usernames and passwords for later use, this website collects all entered information in real time using AiTM (Automated Interactive Token Management). It works as a middleman to allow the victim to communicate with the real ManageWP website. Once the victim submits their username and password, both pieces of information are sent directly to the attacker.
The attacker then immediately accesses the real ManageWP account. The victim will be prompted for a second factor – i.e., a 2FA (two factor authentication) token. That token is also captured by the attacker and used to finalize the entry into the ManageWP account.
Once completed, all stolen credentials are delivered via Telegram to an attackers’ Telegram channel.
Nati Tal, Guardio Labs principal researcher said “One ManageWP account has access to dozens, if not hundreds of sites.” As reported by WordPress.org, the current number of sites utilizing the ManageWP plug-in – which enables Manage WP to interact with those sites – exceeds over 1 Million sites.
The researchers were able to breach the attacker’s CnC (Command & Control) network and found an operational console allowing a live/interactive phishing session with full operator control.
Guardio Lab’s researcher said that this system is similar to a closed system being built for private use as opposed to open phishing kits used by hackers on the Internet.
Additionally, researchers discovered something quite interesting. In the code for the phishing platform they found a Russian language disclaimer which stated they would not be responsible for any illicit activity with the tool and claimed it was intended for “educational and research” purposes. They also specifically prohibited the use of the tool on Russian sources and prohibiting the users from posting (leaking) panel files publicly.
At the time of writing, the Guardio Labs researchers have been provided information from a number of users who were hacked into their account by the hackers, and are warning those users of possible breaches into their account. The researchers can confirm at least 200 different victims of this hacking operation.
