VYPR
breachPublished May 6, 2026· Updated May 17, 2026· 1 source

ManageWP Users Targeted in Sophisticated Google Ad Phishing Campaign

Attackers are using malicious Google search advertisements to lure ManageWP users into a real-time adversary-in-the-middle phishing scheme that bypasses multi-factor authentication.

Threat actors are currently exploiting Google sponsored search results to conduct a sophisticated phishing campaign targeting users of GoDaddy’s ManageWP platform. By purchasing advertisements that appear at the top of search results for the term "managewp," attackers are redirecting unsuspecting web developers and agencies to a fraudulent login page designed to harvest credentials and bypass multi-factor authentication BleepingComputer.

The attack utilizes an adversary-in-the-middle (AitM) mechanism, which functions as a real-time proxy between the victim and the legitimate ManageWP service. Unlike standard phishing pages that merely record static username and password pairs, this setup allows attackers to intercept and use credentials in real-time. When a victim enters their login information, the attackers immediately use those details to attempt a login on the actual ManageWP platform, subsequently triggering a fake prompt on the phishing site that requests the victim's two-factor authentication (2FA) code BleepingComputer.

Once the 2FA code is captured, the attackers gain full, unauthorized access to the victim's ManageWP account. This is particularly dangerous because ManageWP is a centralized management tool; a single compromised account often provides control over hundreds of individual WordPress websites. With the ManageWP plugin currently active on over 1 million websites, the potential scope for downstream impact—such as mass site defacement, malware injection, or data theft—is significant BleepingComputer.

Guardio Labs, which discovered the campaign, successfully infiltrated the attackers' command-and-control (C2) infrastructure. Their analysis revealed a custom, operator-driven phishing framework rather than a widely available commodity kit. The C2 panel features an interactive dropdown system that allows attackers to manage the phishing flow manually. Notably, the researchers discovered an embedded Russian-language disclaimer within the code, which attempts to absolve the author of illegal activity while explicitly prohibiting the tool's use against systems located in Russia BleepingComputer.

The researchers have already identified at least 200 unique victims and have begun the process of notifying those affected to mitigate further exposure. While there is no official patch for this social engineering tactic, users are advised to verify the destination URL of search results before clicking and to navigate directly to known service portals by typing the address manually into their browser BleepingComputer.

This campaign highlights the persistent risk posed by malicious search advertisements, a vector that continues to be leveraged to bypass traditional security perimeters. By targeting administrative platforms that consolidate control over large numbers of websites, attackers can achieve high-leverage compromises with relatively low effort. As these phishing frameworks become more sophisticated and interactive, the reliance on human verification remains a critical, yet vulnerable, component of organizational security BleepingComputer.

Synthesized by Vypr AI