Hackers Exploit Google Ads in AiTM Phishing Attack Targeting GoDaddy ManageWP Users
Cybercriminals are leveraging Google Ads to steal credentials for GoDaddy’s ManageWP, a widely used WordPress management platform, through an adversary-in-the-middle (AiTM) phishing campaign. Researchers at Guardio Labs uncovered the operation, which tricks users searching for "ManageWP" by placing a malicious sponsored ad above the legitimate result.
When victims click the fake ad, they are redirected to a cloned ManageWP login page that closely mimics the real interface. Unlike traditional phishing, this attack employs a live proxy that relays credentials in real time to the authentic ManageWP service, logging the attacker in simultaneously. Stolen credentials are also forwarded to a Telegram channel controlled by the threat actors.
The scheme bypasses two-factor authentication (2FA) by presenting a fake 2FA prompt, allowing attackers to intercept one-time codes and gain full access to compromised accounts. Once inside, they can control connected WordPress sites, deploy malicious plugins, exfiltrate data, or escalate access to hosting environments.
Guardio Labs infiltrated the attackers’ infrastructure, discovering a custom operator-driven panel that dynamically manages phishing sessions. The framework appears to be a private tool, not a commercial phishing-as-a-service kit, with code artifacts suggesting Russian origins including a disclaimer prohibiting use against Russian targets.
The campaign has already claimed at least 200 victims, though the true number may be higher given ManageWP’s 1 million+ installations. The attack underscores the growing threat of malvertising, where cybercriminals exploit paid search slots to distribute phishing and malware at scale. Users are advised to avoid searching for login pages and instead bookmark official URLs to mitigate risk.
Source: https://gbhackers.com/hackers-exploit-google-ads/
GoDaddy TPRM report: https://www.rankiteo.com/company/godaddy
ManageWP Users TPRM report: https://www.rankiteo.com/company/managewps
"id": "godman1778142354",
"linkid": "godaddy, managewps",
"type": "Cyber Attack",
"date": "5/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': 'At least 200 (potentially more)',
'industry': 'Technology, Web Hosting, SaaS',
'name': 'GoDaddy (ManageWP)',
'size': '1 million+ installations',
'type': 'Web Hosting/WordPress Management Platform'}],
'attack_vector': 'Malvertising (Google Ads), Cloned Login Page, Live Proxy',
'customer_advisories': 'Users advised to avoid searching for login pages and '
'bookmark official URLs',
'data_breach': {'data_exfiltration': 'Yes (credentials forwarded to Telegram '
'channel)',
'number_of_records_exposed': 'At least 200 accounts '
'(potentially more)',
'sensitivity_of_data': 'High (credentials and 2FA codes allow '
'full account takeover)',
'type_of_data_compromised': 'Credentials, 2FA codes, '
'WordPress site access'},
'description': 'Cybercriminals are leveraging Google Ads to steal credentials '
'for GoDaddy’s ManageWP, a widely used WordPress management '
'platform, through an adversary-in-the-middle (AiTM) phishing '
"campaign. The attack tricks users searching for 'ManageWP' by "
'placing a malicious sponsored ad above the legitimate result. '
'Victims are redirected to a cloned ManageWP login page that '
'relays credentials in real time to the authentic service, '
'bypassing 2FA and allowing attackers to gain full access to '
'compromised accounts.',
'impact': {'brand_reputation_impact': 'Potential reputational damage to '
'GoDaddy/ManageWP due to phishing '
'campaign',
'data_compromised': 'ManageWP credentials, WordPress site access, '
'potentially sensitive data from connected '
'sites',
'identity_theft_risk': 'High (stolen credentials and 2FA codes)',
'operational_impact': 'Unauthorized control of WordPress sites, '
'potential deployment of malicious plugins, '
'data exfiltration',
'systems_affected': 'ManageWP accounts, connected WordPress sites'},
'initial_access_broker': {'backdoors_established': 'Live proxy for credential '
'relay, fake 2FA prompts',
'entry_point': 'Google Ads (malvertising)',
'high_value_targets': 'ManageWP users, WordPress '
'site administrators'},
'investigation_status': 'Ongoing (Guardio Labs infiltrated attacker '
'infrastructure)',
'lessons_learned': 'Growing threat of malvertising, need for user education '
'on avoiding search-based login pages, risks of AiTM '
'phishing bypassing 2FA',
'motivation': 'Credential theft, unauthorized access to WordPress sites, data '
'exfiltration, potential financial gain',
'post_incident_analysis': {'root_causes': 'Exploitation of Google Ads for '
'malvertising, AiTM phishing '
'framework bypassing 2FA, lack of '
'user awareness'},
'recommendations': 'Bookmark official login URLs, avoid clicking on sponsored '
'ads for login pages, monitor for unauthorized access to '
'WordPress sites',
'references': [{'source': 'Guardio Labs'}],
'response': {'communication_strategy': 'User advisories to avoid searching '
'for login pages and bookmark official '
'URLs',
'third_party_assistance': 'Guardio Labs (research and '
'infiltration of attacker '
'infrastructure)'},
'threat_actor': 'Unknown (Private tool with Russian origins suggested)',
'title': 'Hackers Exploit Google Ads in AiTM Phishing Attack Targeting '
'GoDaddy ManageWP Users',
'type': 'Phishing (AiTM - Adversary-in-the-Middle)',
'vulnerability_exploited': 'Lack of user awareness, 2FA bypass via fake '
'prompts'}