A phishing campaign leveraging Google sponsored search results is targeting ManageWP credentials, the GoDaddy platform used to manage multiple WordPress sites. Attackers are exploiting Google's ad system to reach users searching for the service.
Threat actors have launched a phishing attack using Google Ads to distribute fake ManageWP login pages. The malicious ads appear in sponsored search results when users look for the legitimate ManageWP platform, creating a convincing entry point for credential theft.
ManageWP, owned by GoDaddy, allows WordPress administrators to manage multiple sites from a centralized dashboard. Compromised credentials would give attackers broad access to client websites, enabling them to inject malware, steal data, or modify site content.
The Attack Method
The campaign works by bidding on search terms related to ManageWP. When users click the ads, they land on fraudulent pages mimicking the official login interface. Users entering their credentials unknowingly hand them directly to attackers.
This technique exploits the trust users place in Google's ad system. Many people assume sponsored results are legitimate, making them less likely to scrutinize URLs or warning signs.
Scope and Risk
The attack specifically targets users managing WordPress sites through ManageWP, a popular choice for agencies and freelancers handling multiple client sites. A single compromised account could expose dozens of websites.
GoDaddy has not publicly confirmed the scale of the campaign or whether customer accounts have been compromised. The company typically relies on users to report suspicious activity.
Recommended Actions
ManageWP users should verify they're on the legitimate site by checking the URL directly rather than clicking ads. Bookmarking the official login page eliminates reliance on search results.
If you've recently entered credentials on an unfamiliar page, change your ManageWP password immediately and enable two-factor authentication. Review account activity for unauthorized access or changes.
This attack underscores the vulnerability of ad-based phishing. Google Ads' accessibility means attackers can reach high-value targets with minimal barriers. While Google removes malicious ads when detected, the lag between discovery and removal creates opportunity for attackers.
Federal prosecutors have unsealed a 2024 indictment charging three Russian nationals and two web hosting services with facilitating cyberattacks and money laundering that victimized cybercrime targets of $62 million.
A hacker accessed Suno's source code using stolen employee credentials, revealing that the AI music generator scraped decades of audio from YouTube to train its model.
Criminals can now clone voices with AI in mere seconds, outpacing traditional authentication defenses that banks and financial institutions rely on to prevent fraud.
Five malicious versions of AsyncAPI packages were published to npm, delivering a remote access trojan capable of stealing credentials and sensitive data from developer systems.