News

Hackers Exploited Google Ads for GoDaddy ManageWP Login Phishing

Daksh
May 14, 2026
Hackers Exploited Google Ads for GoDaddy ManageWP Login Phishing | PhishNext Cybersecurity Alert
 
“Recently, Google Ads were exploited by hackers for GoDaddy ManageWP Login Phishing.”
Credentials for ManageWP, GoDaddy's platform for managing fleets of WordPress websites, are the focus of a phishing campaign that is distributed through Google-sponsored search results.
 
The phony login page serves as a real-time proxy between the victim and the authentic ManageWP service as part of the threat actor's adversary-in-the-middle (AitM) technique.
 
Instead of logging into different dashboards, customers can administer many WordPress websites from a single panel with ManageWP, a centralized remote administration tool. Web developers, web agencies that manage client websites, and businesses are typical users.
 
Researchers, Guardio Labs
 
Users who rely on Google to get the URL for signing into ManageWP are tricked by the phony result that appears above the actual one for the "managewp" query.
 
Hackers Exploited Google Ads for GoDaddy ManageWP Login

 

When users click on the fraudulent result, they are redirected to an identical login page. Nevertheless, any credentials entered are sent to an attacker-controlled Telegram channel.

 

The campaign employs a live AiTM setup because the attacker utilizes the credentials to get into the platform in real-time, in contrast to the more popular phishing pages that collect username and password combinations.

 

The threat actor then uses a fictitious prompt for the victim to enter the two-factor authentication (2FA) code in order to access the ManageWP account.

 

Nati Tal, Head Researcher, Guardio Labs, BleepingComputer

 

Usually, hundreds of websites are hosted on each ManageWP account.

 

WordPress.org Stats

Over a million websites use the ManageWP plugin, which offers the platform authority over registered sites.

 

After gaining access to the attacker's command-and-control (C2) infrastructure, Guardio Labs discovered a dropdown command system that permits an operator-driven and interactive phishing flow.

 

 

Hackers Exploited Google Ads for GoDaddy

 

Nati Tal, Head Researcher

The platform appears to be a private phishing architecture rather than a component of a commodity kit.

 

Interestingly, the researcher discovered a Russian-language agreement buried in the code that forbids the public release of panel files or their use against Russia-based systems, has a disclaimer about educational and research use, and denounces responsibility for any criminal conduct.

 

Guardio Labs has begun contacting victims to inform them of the risk after obtaining victim data from the perpetrators. As of this writing, the researchers have verified 200 distinct victims.

 

Conclusion

 

Now that we have talked about how all these phishing scams affect the victim, you might want to learn the ways you can protect yourself against such attacks. For that, you can go for Phish Next, a dedicated phishing simulation platform offered by Craw Security.

 

This platform makes it easy for you to understand how phishing attacks happen and how you can protect yourself from them by avoiding them in time. What are you waiting for? Contact, Now!