A Google Ads phishing campaign is actively targeting ManageWP, GoDaddy’s platform for managing fleets of WordPress websites, using fake sponsored search results to harvest credentials from unsuspecting users. Security researchers at Guardio Labs infiltrated the attacker’s command-and-control infrastructure and confirmed at least 200 unique victims at the time of their investigation, though the actual scope is likely far larger.
Key Takeaways
- Hackers abuse Google Ads to display fake ManageWP login pages mimicking legitimate search results.
- The Google Ads phishing campaign uses adversary-in-the-middle (AitM) proxying to intercept credentials and two-factor authentication codes in real-time.
- Stolen credentials are forwarded to attacker-controlled Telegram channels for immediate exploitation.
- Guardio Labs confirmed 200+ victims; related Google Ads abuse targets Google Ads and Microsoft Ads accounts globally.
- Attackers use a private phishing framework with operator-driven command systems, not commodity malware.
How the Google Ads phishing campaign works
The attack begins when a user searches for ManageWP on Google and clicks what appears to be a legitimate sponsored ad. The fake ad redirects the victim to a login page that is pixel-perfect identical to the real ManageWP interface. When the user enters their username and password, the credentials are immediately forwarded to an attacker-controlled Telegram channel. The attacker then uses those stolen credentials to log into the genuine ManageWP service in real-time through a proxy connection, while the victim remains on the fake page.
What makes this Google Ads phishing campaign particularly dangerous is the use of adversary-in-the-middle proxying. As the attacker logs in on the backend, the victim’s screen displays a prompt requesting a two-factor authentication code. The victim, believing they are interacting with a legitimate service, enters their 2FA code into the fake page. This code is also intercepted and sent to the attacker’s Telegram channel, giving them complete access to the victim’s ManageWP account. From there, they can compromise every WordPress site managed through that account.
Why this Google Ads phishing campaign represents a critical threat
ManageWP is not a niche tool—it is GoDaddy’s centralized platform for WordPress site management, meaning a single compromised account can affect dozens or hundreds of websites simultaneously. An attacker with access to a ManageWP account can inject malware, steal data, modify site content, or hold sites for ransom. The use of Google Ads as the delivery mechanism is particularly insidious because users trust Google’s search results and assume sponsored listings have been vetted.
Guardio Labs’ infiltration of the attacker’s C2 infrastructure revealed a sophisticated operation. Rather than using off-the-shelf phishing kits, the attackers deployed a private phishing framework with a dropdown command system that enables interactive, operator-driven attacks. This level of customization suggests a well-resourced threat actor, not a script kiddie running commodity malware. The operator can adjust the attack in real-time, responding to victim behavior and maximizing success rates.
Broader Google Ads abuse and related campaigns
This is not an isolated incident. Security researchers at Malwarebytes have documented a wider pattern of Google Ads abuse, with related campaigns targeting Google Ads accounts themselves, Microsoft Ads accounts, and other high-value services. Brazilian and Asian threat actors have been observed reselling hijacked advertising accounts on blackhat forums, turning Google’s own platform into a distribution channel for phishing attacks. Some campaigns use Google Sites to host phishing pages, further leveraging Google’s trusted infrastructure against its own users.
The scope of this problem extends beyond ManageWP. Malwarebytes characterized similar Google Ads malvertising as among the most egregious they have tracked, potentially affecting thousands of customers worldwide. Attackers exploit the delay between ad placement and removal, often keeping fraudulent ads live long enough to harvest significant numbers of credentials. Even when Google removes 50 or more malicious ads, new ones are created and deployed within hours.
What victims should know
If you use ManageWP, the immediate risk is account compromise. Attackers can pivot from a stolen ManageWP account to access every WordPress site under management, potentially leading to data theft, malware injection, or site defacement. Users who have entered credentials into a suspicious ManageWP login page should assume their accounts are compromised and change their passwords immediately, then enable two-factor authentication if they have not already done so.
The broader lesson is that even trusted platforms like Google Ads can be weaponized. Users should be cautious when clicking sponsored results, especially for login pages. Verify URLs carefully—legitimate ManageWP URLs should be managewp.com or a GoDaddy subdomain, not a lookalike domain. Consider bookmarking your login pages directly rather than searching for them, and always check for HTTPS and a valid SSL certificate before entering credentials.
Is ManageWP responsible for this attack?
ManageWP itself is not at fault for the phishing campaign. The vulnerability lies in Google Ads’ ability to host malicious ads and in users’ natural trust of sponsored search results. ManageWP’s authentication system is functioning as designed—it cannot distinguish between legitimate and fraudulent login attempts if the credentials are real. The responsibility for removing malicious ads and preventing account abuse falls primarily on Google.
How can I protect my ManageWP account from this Google Ads phishing campaign?
Enable two-factor authentication on your ManageWP account immediately, use a strong, unique password, and avoid clicking sponsored ads for login pages—bookmark the site directly instead. If you suspect your account has been compromised, change your password and check your ManageWP login history for unauthorized access attempts. Consider using a password manager to avoid entering credentials on suspicious pages.
What is GoDaddy doing about this threat?
GoDaddy has not publicly commented on this specific campaign as of the research date, though the company has a history of security issues that have drawn scrutiny from regulators and researchers. The FTC has previously taken action against GoDaddy for security failings. The primary mitigation responsibility currently rests with Google to police its own advertising platform more aggressively and remove malicious ads faster.
The Google Ads phishing campaign targeting ManageWP exposes a fundamental weakness in how trusted platforms can be weaponized by sophisticated threat actors. Until Google implements stronger verification for ads promoting login pages and faster removal of malicious listings, users must assume that even sponsored search results carry risk. For WordPress site owners relying on ManageWP, the lesson is clear: verify every login page, enable 2FA, and assume that convenience is the enemy of security.
Edited by the All Things Geek team.
Source: TechRadar
