Hackers Abuse Google Ads to Steal GoDaddy ManageWP Credentials Through Advanced Phishing

A fake Google-sponsored ManageWP login page is helping attackers hijct WordPress administration accounts and potentially compromise hundreds of websites at once.

Fake Google Ads Become the Attack Entry Point

Cybercriminals are using Google sponsored search results to target users of GoDaddy ManageWP. This platform helps users manage multiple WordPress websites from one dashboard.

Instead of logging into each website separately, users can handle updates, backups, security checks, and maintenance from one panel. Because of this, ManageWP has become a high-value target for attackers.

Researchers at Guardio Guardio Labs found that a fake sponsored result appears above the real ManageWP login page when users search for “ManageWP” on Google.

Many users trust Google to find login pages. As a result, they may click the fake ad without noticing the danger.

How the Phishing Attack Works

This campaign uses an adversary-in-the-middle (AiTM) phishing method. This is more dangerous than standard phishing pages.

The fake login page looks almost identical to the real ManageWP portal. However, it works as a live proxy between the victim and the legitimate service.

When users enter their username and password, the attacker receives the details instantly through a Telegram-controlled system.

The victim then sees a request for a two-factor authentication (2FA) code. Since the attacker is already logging in at the same time, they use that code immediately to complete access.

This method allows attackers to bypass both passwords and 2FA protection in real time.

Why This Attack Creates Serious Business Risk

ManageWP is commonly used by web developers, agencies, IT teams, and enterprises. Many accounts manage hundreds of websites at once.

Researchers explained that one stolen account can expose a large number of connected WordPress sites. This creates a serious supply chain risk for businesses.

According to WordPress statistics, the ManageWP plugin is active on more than one million websites worldwide. That makes this phishing campaign far more dangerous than a normal account takeover.

Researchers also found that the attackers use a private phishing framework instead of a common phishing kit. This makes the operation more advanced and harder to detect.

What Organizations Should Do Next

Guardio Labs confirmed at least 200 unique victims and started contacting affected users directly.

This attack shows how dangerous sponsored search results can become. Many businesses still trust paid search results without verification.

Organizations should bookmark official admin portals instead of searching for them each time. They should also use stronger phishing-resistant MFA methods where possible.

Security awareness training should include warnings about fake sponsored ads, especially for admin platforms and cloud dashboards.

In cybersecurity, convenience often becomes the first step toward compromise.