Google Ads Phishing Campaign Targets GoDaddy ManageWP Users

Severity: High (Score: 66.5)

Sources: Bleepingcomputer, Gbhackers, Cybersecuritynews

Summary

A phishing campaign exploiting Google Ads is targeting users of GoDaddy's ManageWP platform, which is used for managing multiple WordPress sites. The attackers employ an adversary-in-the-middle (AiTM) technique, creating a fake login page that captures user credentials in real-time. This fraudulent ad appears above the legitimate ManageWP listing in search results, tricking users into entering their credentials. Once logged in, victims are prompted for their two-factor authentication (2FA) codes, which the attackers also capture. Guardio Labs has identified 200 unique victims so far and has infiltrated the attackers' command-and-control infrastructure. The phishing framework appears to be privately developed, with indications of a Russian-language agreement found in the code. The campaign is significant due to the number of potential victims, as ManageWP is active on over 1 million websites. Key Points: • Hackers are using Google Ads to deliver a phishing campaign targeting ManageWP users. • The attack employs an adversary-in-the-middle setup to capture credentials and 2FA codes. • Guardio Labs has confirmed 200 unique victims and infiltrated the attackers' infrastructure.

Key Entities

• Man-in-the-Middle (attack_type)
• Phishing (attack_type)
• WrongPress (campaign)
• GoDaddy (platform)
• Google Ads (platform)
• Telegram (platform)
• WordPress (platform)
• ManageWP (company)
• Google (company)
• T1071 - Application Layer Protocol (mitre_attack)
• T1566.002 - Spearphishing Link (mitre_attack)
• T1566 - Phishing (mitre_attack)
• AiTM (tool)