HACKERS USE GOOGLE ADS TO PHISH MANAGEWP LOGINS

Threat actors have launched a phishing attack using Google Ads to distribute fake ManageWP login pages. The malicious ads appear in sponsored search results when users look for the legitimate ManageWP platform, creating a convincing entry point for credential theft. ManageWP, owned by GoDaddy, allows WordPress administrators to manage multiple sites from a centralized dashboard. Compromised credentials would give attackers broad access to client websites, enabling them to inject malware, steal data, or modify site content. The Attack Method The campaign works by bidding on search terms related to ManageWP. When users click the ads, they land on fraudulent pages mimicking the official login interface. Users entering their credentials unknowingly hand them directly to attackers. This technique exploits the trust users place in Google's ad system. Many people assume sponsored results are legitimate, making them less likely to scrutinize URLs or warning signs. Scope and Risk The attack specifically targets users managing WordPress sites through ManageWP, a popular choice for agencies and freelancers handling multiple client sites. A single compromised account could expose dozens of websites. GoDaddy has not publicly confirmed the scale of the campaign or whether customer accounts have been compromised. The company typically relies on users to report suspicious activity. Recommended Actions ManageWP users should verify they're on the legitimate site by checking the URL directly rather than clicking ads. Bookmarking the official login page eliminates reliance on search results. If you've recently entered credentials on an unfamiliar page, change your ManageWP password immediately and enable two-factor authentication. Review account activity for unauthorized access or changes. This attack underscores the vulnerability of ad-based phishing. Google Ads' accessibility means attackers can reach high-value targets with minimal barriers. While Google removes malicious ads when detected, the lag between discovery and removal creates opportunity for attackers.