A new phishing campaign is using Google-sponsored search results to steal login credentials from ManageWP users, putting large numbers of WordPress websites at risk.
ManageWP, owned by GoDaddy, is a platform that lets users manage multiple WordPress websites from one central dashboard. It is commonly used by developers, agencies, and businesses that handle many client or company websites at once.
Researchers at Guardio Labs warned that attackers are placing a fake sponsored result above the real ManageWP website when users search for “managewp” on Google. This can trick people who depend on search results to find the correct login page.
When users click the malicious ad, they are taken to a fake login page that closely resembles the real ManageWP site. Any username and password entered on the page are sent to a Telegram channel controlled by the attacker.
This campaign is more dangerous than a basic phishing page because it uses an adversary-in-the-middle, or AitM, method. Instead of simply collecting credentials, the fake page works as a live proxy between the victim and the real ManageWP service. The attacker uses the stolen login details in real time and then shows the victim a fake prompt asking for their two-factor authentication code.
Once the victim enters the 2FA code, the attacker can use it to access the ManageWP account. Guardio Labs head researcher Nati Tal told BleepingComputer that a single ManageWP account often controls hundreds of websites.
According to WordPress.org statistics, the ManageWP plugin, which allows the platform to control connected websites, is active on more than 1 million sites.
Guardio Labs said it was able to access the attacker’s command-and-control infrastructure and found a dropdown command system that supports an interactive, operator-driven phishing process. Tal said the system does not appear to be a common phishing kit, but rather a private phishing framework.
Researchers also found a Russian-language agreement inside the code. The text included a disclaimer saying the author was not responsible for illegal use, claimed the tool was for educational or research purposes, and banned public leaks of the panel files or attacks against systems based in Russia.
If this article helped you, please consider supporting our work. Every small contribution keeps Abijita.com independent and running.
Guardio Labs said it has captured victim data from the attackers and has started contacting affected users to warn them about the exposure. At the time of writing, researchers had confirmed 200 unique victims.
