Ciphers Security News Adversary-in-the-Middle Phishing Campaign Hits GoDaddy ManageWP via Google Ads
News

Adversary-in-the-Middle Phishing Campaign Hits GoDaddy ManageWP via Google Ads

Adversary-in-the-Middle Phishing Campaign Hits GoDaddy ManageWP via Google Ads

Security researchers at Guardio Labs have identified an active adversary-in-the-middle (AitM — a phishing technique where the attacker acts as a real-time relay between the victim and the legitimate service, intercepting both credentials and multi-factor authentication codes as they are entered) phishing campaign targeting GoDaddy ManageWP users through Google sponsored search results. The campaign has confirmed at least 200 victims as of reporting. Because ManageWP accounts typically control fleets of hundreds of WordPress websites, a single compromised account can cascade to mass website compromise affecting the underlying business, visitors, and hosted data across every managed site.

How the ManageWP AitM Attack Works

ManageWP is GoDaddy's platform for centrally managing fleets of WordPress websites from a single dashboard — it is used extensively by WordPress agencies, freelancers, and enterprises that operate large numbers of WordPress installations. The ManageWP plugin is active on more than 1 million WordPress websites.

The attack begins in Google Search. When a ManageWP user searches for "managewp" or related login terms, a sponsored (paid advertisement) result appears at the top of the search results page — appearing visually identical to the legitimate site listing but pointing to a phishing domain controlled by the attacker.

Unlike traditional phishing attacks that simply display a fake login form and store submitted credentials for later use, this campaign employs a real-time adversary-in-the-middle proxy framework. The attack chain works as follows:

  • Victim clicks the malicious Google ad and arrives at a phishing page that is a pixel-perfect replica of the ManageWP login interface.
  • Victim enters their ManageWP username and password. These credentials are not just stored — the attacker's backend immediately uses them to initiate a real login session on the legitimate ManageWP platform in parallel, while keeping the victim occupied on the fake page.
  • ManageWP sends the victim's real 2FA code (a one-time password sent via email, SMS, or authenticator app) to the victim's registered device, triggered by the attacker's real-time login attempt.
  • Victim enters their 2FA code on the phishing page, believing they are completing normal authentication. The attacker intercepts this code and submits it to the legitimate ManageWP session within its validity window (typically 30–60 seconds for TOTP codes).
  • The attacker now holds a valid authenticated session on the victim's ManageWP account, with full access to every WordPress site under that account's management. The victim is shown an error or redirect that obscures what has occurred.

This real-time interception model defeats standard time-based 2FA (TOTP — Time-based One-Time Password, the kind generated by apps like Google Authenticator) and SMS-based verification codes entirely, because the attacker uses the code within its validity window.

Campaign Infrastructure

Guardio Labs' research found that the phishing operation uses a custom-built C2 (command-and-control) panel with an interactive, operator-driven phishing flow — not an off-the-shelf phishing kit. The panel includes dropdown command systems that allow the operator to control the victim's experience in real time, prompting for specific inputs (2FA codes, security questions) as they become required by the legitimate ManageWP authentication process.

Analysis of the C2 panel code revealed embedded Russian-language strings, suggesting possible Russian-speaking involvement in the operation's development or operation, though attribution is not confirmed.

The attacker's infrastructure uses Google's own advertising platform as the delivery vector, making it harder to block at the DNS or network level — the malicious domains are only surfaced when users are actively searching in Google, and the ads may rotate through multiple domains.

Who Is Affected

The campaign targets WordPress administrators and agencies using GoDaddy ManageWP to manage multiple WordPress sites. The risk is especially elevated for:

  • WordPress agencies managing dozens to hundreds of client sites from a single ManageWP account
  • Enterprise WordPress teams using ManageWP for internal WordPress fleet management
  • Freelance developers who manage client sites and whose ManageWP account contains access to multiple businesses' web properties

The downstream impact of a single compromised ManageWP account can include:

  • Backdoor injection across all managed WordPress sites (enabling ongoing access for the attacker or their clients)
  • Malicious redirect injection (sending visitors to malware distribution sites or phishing pages)
  • SEO spam and link injection across multiple sites
  • Complete site defacement or content replacement
  • Data theft from WordPress databases accessible through ManageWP's backup features

What You Should Do Right Now

  • Never use Google Search to find the ManageWP login page. Bookmark the direct URL (https://orion.managewp.com/) and access it only via the bookmark. Verify the URL in the browser address bar before entering credentials on any page.
  • Enable a hardware security key (FIDO2/passkey) for your ManageWP account. AitM attacks cannot intercept FIDO2 hardware token authentication because the cryptographic signing operation is bound to the legitimate site's origin (domain name). A hardware key (YubiKey, Google Titan Key, etc.) or a device-bound passkey will prevent account takeover even when credentials and TOTP codes are compromised.
  • Audit ManageWP account access logs immediately. If you regularly search Google for the ManageWP login page, review your account's active sessions and login history for any unfamiliar access. ManageWP's security settings show active sessions that can be revoked.
  • Rotate ManageWP credentials now if there is any possibility you accessed the login page through a Google search result in recent weeks. Assume credentials may have been captured even if you did not notice anything unusual during login.
  • Educate teams and clients. If you manage ManageWP on behalf of clients or within a team, communicate this threat immediately and ensure all users bookmark the direct URL. Provide specific instructions: do not click Google Ads for ManageWP.
  • Report suspicious Google Ads to Google. If you see a sponsored result claiming to be ManageWP that redirects to a non-managewp.com domain, report it via Google's ad reporting mechanism.

# Legitimate ManageWP login URLs (bookmark these — do not use search):
https://orion.managewp.com/
https://app.managewp.com/

# Any URL not matching *.managewp.com is suspicious

Background: Understanding the Risk

Google Ads abuse as a phishing delivery vector has grown significantly over the past two years. The technique is effective because:

  • Users trust search results, especially when they appear in the context of a specific, intentional search
  • Sponsored results are visually similar to organic results in Google's current interface, with only a small "Sponsored" label that many users overlook
  • Ad verification is imperfect — Google's automated review systems miss sophisticated phishing sites that dynamically serve content
  • Ads rotate quickly, making it difficult for defenders to track or block them before they reach victims

WordPress is a particularly high-value target ecosystem. The platform powers approximately 43% of all websites globally, making tools like ManageWP a single point of access to large numbers of sites. Similar campaigns have targeted WooCommerce and Elementor login portals.

The AitM technique itself is not new — Evilginx2 and similar open-source frameworks have enabled AitM phishing since at least 2018. What distinguishes this ManageWP campaign is the custom-built, operator-driven C2 panel that enables real-time interaction with victim sessions, and the focus on a platform with a highly disproportionate downstream blast radius — one ManageWP account controls hundreds of sites.

Guardio Labs has contacted confirmed victims to alert them of the breach.

Conclusion

An active AitM phishing campaign is using Google sponsored search results to steal ManageWP credentials and 2FA codes in real time, giving attackers full access to WordPress fleets managed by compromised accounts. With 200 confirmed victims and a cascade risk to the hundreds of WordPress sites each account manages, WordPress administrators should immediately bookmark the direct ManageWP login URL, enable FIDO2 hardware key authentication, and audit recent account access for signs of unauthorized sessions.

Tags:

Share This Post:

Leave a Reply

Your email address will not be published. Required fields are marked *

Related Post

Vercel's v0.dev AI Tool Weaponized for Phishing Campaigns Targeting Microsoft, Nike Users
News

Vercel’s v0.dev AI Tool Weaponized for Phishing Campaigns Targeting

May 11, 2026
VoidStealer Bypasses Chrome App-Bound Encryption Without Code Injection or Privilege Escalation
News

VoidStealer Bypasses Chrome App-Bound Encryption Without Code Injection or

May 11, 2026
PCPJack Cloud Worm Evicts TeamPCP and Steals 40+ Credential Types at Scale
News

PCPJack Cloud Worm Evicts TeamPCP and Steals 40+ Credential

May 10, 2026
PCPJack Cloud Worm Evicts Competitor Malware, Steals Credentials from Docker and Kubernetes
News

PCPJack Cloud Worm Evicts Competitor Malware, Steals Credentials from

May 9, 2026
PamDOORa: New Linux Backdoor Sells for $900 on Russian Forum, Harvests SSH Credentials via PAM
News

PamDOORa: New Linux Backdoor Sells for $900 on Russian

May 8, 2026
Attackers Abuse Bun JavaScript Runtime to Spread NWHStealer Infostealer
News

Attackers Abuse Bun JavaScript Runtime to Spread NWHStealer Infostealer

May 8, 2026