Hackers hijack Google Ads to spread phishing campaign spoofing top GoDaddy tool

News
By published

A fake ManageWP site is being advertised on Google

Phishing
(Image credit: Shutterstock)
  • Cybercriminals are abusing Google Ads to lure ManageWP users to fake login pages
  • The phishing flow captures credentials and 2FA codes, relaying them to attacker‑controlled Telegram accounts
  • Researchers found a custom Russian‑language phishing framework, with at least 200 confirmed victims so far

Cybercriminals are targeting ManageWP users through a series of malicious Google Ads sponsored search results, security researchers have claimed.

ManageWP is GoDaddy’s cloud-based service that lets users manage multiple WordPress sites from a single dashboard. Its users include web developers, agencies running multiple websites for their clients, and enterprises needing more than one site for their business. According to data on WordPress.org, ManageWP’s plugin is installed on more than a million active websites.

Security researchers from Guardio Labs said they found a fake landing page designed to trick users into sharing not just their login credentials, but 2FA codes, as well. The miscreants managed to advertise the page on Google, so whenever someone searches for ManageWP (or, presumably, similar services too), they are shown a dangerous result at the very top.

Latest Videos From

Russian threat actors?

Those who don’t spot the scam (by analyzing the URL they’re being redirected to) are shown a site that looks almost identical to the legitimate one, and if they log in - their credentials are relayed into a controller-owned Telegram account.

Guardio Labs also said they were able to access the threat actors’ command-and-control (C2) infrastructure, seeing a dropdown menu that allows for an interactive, modular phishing flow. However, the platform doesn’t seem to be a part of a commodity kit - the researchers believe this is a private phishing framework.

The researchers did not attribute the attack, or the platform, to any specific threat actor, but they did find something curious. The platform contains a user agreement, written in Russian, in which the creator rejects any responsibility for illegal conduct and states that the platform is built for educational and research use only.

The terms of service also prohibit the platform to be used against Russians, and the generated data to be publicly leaked.

At the time of writing, at least 200 victims have been confirmed. All of them have been warned about the attack.

Via BleepingComputer

Best antivirus software header
The best antivirus for all budgets

➡️ Read our full guide to the best antivirus
1. Best overall:
Bitdefender Total Security
2. Best for families:
Norton 360 with LifeLock
3. Best for mobile:
McAfee Mobile Security

Google logo on a black background next to text reading 'Click to follow TechRadar'

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds.

TOPICS
Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.