Full Report
A phishing campaign delivered through Google sponsored search results is targeting credentials for ManageWP, GoDaddy's platform for managing fleets of WordPress websites. [...]
Analysis Summary
# Incident Report: Phishing Campaign Targeting GoDaddy ManageWP via Google Ads
## Executive Summary
A sophisticated phishing campaign leveraged Google Search advertisements to target administrators of ManageWP, GoDaddy’s centralized WordPress management platform. By utilizing an Adversary-in-the-Middle (AitM) framework, attackers bypassed multi-factor authentication (MFA) to gain real-time access to accounts controlling fleets of WordPress websites. Approximately 200 unique victims have been identified, with the potential for compromise across thousands of downstream websites.
## Incident Details
- **Discovery Date:** May 2026 (Reported May 6, 2026)
- **Incident Date:** Ongoing as of May 2026
- **Affected Organization:** GoDaddy ManageWP Users (Web agencies, developers, enterprises)
- **Sector:** Information Technology / Web Hosting / Managed Services
- **Geography:** Global
## Timeline of Events
### Initial Access
- **Date/Time:** May 2026
- **Vector:** Malicious Search Engine Advertising (Malvertising)
- **Details:** Attackers purchased Google Ads for the keyword "managewp," placing a malicious link above the legitimate search result.
### Lateral Movement
- **Movement Type:** Downstream access. By compromising a single ManageWP account, attackers gained "one-click" administrative access to all individual WordPress sites (often hundreds per account) linked to that dashboard via the ManageWP Worker plugin.
### Data Exfiltration/Impact
- **Impact:** Theft of session cookies and credentials. Unauthorized access to ManageWP dashboards, allowing for site defacement, malware injection, or data theft across multiple WordPress installations.
### Detection & Response
- **Detection:** Discovered by Guardio Labs researchers who identified the malicious ad and successfully infiltrated the attacker’s Command and Control (C2) infrastructure.
- **Response:** Researchers began notifying the ~200 discovered victims; exposure of C2 panel allowed for observation of live attack flows.
## Attack Methodology
- **Initial Access:** Malvertising via Google Ads.
- **Persistence:** Real-time session hijacking; attackers utilize captured session tokens or 2FA codes immediately.
- **Privilege Escalation:** Not applicable; the attack targets high-privilege administrative accounts directly.
- **Defense Evasion:** Use of a sophisticated AitM proxy that serves a pixel-perfect replica of the legitimate login page.
- **Credential Access:** Adversary-in-the-Middle (AitM) phishing.
- **Discovery:** Keyword targeting via Google Search to find active users of the platform.
- **Lateral Movement:** Web-to-web movement via the ManageWP administrative interface to managed client sites.
- **Collection:** Interception of usernames, passwords, and 16-bit or TOTP 2FA codes in real-time.
- **Exfiltration:** Credential and session data sent to a Telegram-based C2.
- **Impact:** Complete administrative takeover of managed WordPress fleets.
## Impact Assessment
- **Financial:** High potential loss for agencies if client sites are held for ransom or defaced.
- **Data Breach:** Exposure of site administrative credentials; potential breach of data hosted on managed WordPress sites.
- **Operational:** Disruption of site management for web agencies; risk of mass malware deployment across thousands of sites.
- **Reputational:** High for affected web agencies and GoDaddy ManageWP platform.
## Indicators of Compromise
- **Network Indicators:**
- Malicious domain mimicking: `managewp[.]com` (note: attackers often use look-alike domains like `manage-wp[.]com` or `managewp-login[.]net` - *specific domains were not listed in the text but follow this pattern*).
- C2 Communication: Outbound traffic to Telegram API (`api[.]telegram[.]org`).
- **Behavioral Indicators:**
- Login attempts from unusual IP addresses immediately following a legitimate-looking login attempt by the user.
- Unexpected 2FA prompts appearing twice or failing on the first attempt.
## Response Actions
- **Containment:** Guardio Labs infiltrated the C2 panel to monitor and identify victims.
- **Eradication:** Reporting the malicious advertisements to Google for takedown.
- **Recovery:** Contacting identified victims to prompt password resets and session terminations.
## Lessons Learned
- **Ad Platform Abuse:** Threat actors are increasingly using paid search results to bypass traditional email filters.
- **AitM Capabilities:** Standard 2FA (TOTP/SMS) is insufficient against live AitM proxies.
- **Supply Chain Risk:** Centralized management tools (like ManageWP) are "force multipliers" for attackers, where one credential set provides access to hundreds of endpoints.
## Recommendations
- **Transition to FIDO2/WebAuthn:** Use hardware security keys (like YubiKeys) which are resistant to AitM phishing.
- **Verify URLs:** Train staff to verify the URL in the browser address bar rather than clicking "Sponsored" search results.
- **Use Bookmarks:** Encourage users to use browser bookmarks for sensitive administrative portals instead of search engines.
- **Ad-Blockers:** Deploy enterprise-grade ad-blocking to prevent malicious "Sponsored" content from appearing in search results.