A new phishing campaign has been discovered where hackers are abusing Google Ads to target users of GoDaddy ManageWP. Security researchers found that attackers created fake sponsored advertisements that appeared at the top of Google search results. Since these ads looked legitimate, many users clicked on them without suspicion. The campaign mainly targeted website administrators and developers managing WordPress websites through ManageWP.
ManageWP is a website management platform owned by GoDaddy that allows users to control multiple WordPress websites from a single dashboard. It is widely used by developers, agencies, and businesses because it simplifies website management tasks. Reports say the ManageWP Worker plugin is installed on more than one million websites worldwide. This makes ManageWP accounts highly valuable targets for cybercriminals looking to gain access to multiple websites at once.
Researchers from Guardio Labs discovered that the fake advertisements redirected users to phishing websites designed to closely imitate the real ManageWP login page. The attackers copied the official branding, design, and login layout to make the pages appear authentic. At first glance, most users would find it difficult to identify the phishing page as fake. This realistic appearance increased the chances of victims entering their login credentials unknowingly.
The phishing operation reportedly used an advanced adversary-in-the-middle or AiTM phishing technique. In this method, the fake login page acts as a live bridge between the victim and the legitimate ManageWP service. This allows attackers to capture usernames, passwords, session cookies, and even two-factor authentication codes in real time. Researchers say this technique is far more dangerous than traditional phishing attacks because it can bypass additional security protections.
Researchers also found that stolen credentials and authentication data were being sent directly to attacker-controlled Telegram channels. This allowed cybercriminals to receive sensitive information instantly and quickly access compromised accounts. According to reports, at least 200 victims have already been linked to the phishing campaign. Since one ManageWP account can control several WordPress websites together, a single compromised account can create a much larger security risk.
The phishing campaign has been named “WrongPress” by security researchers because it specifically targets WordPress administrators and ManageWP users. Experts say the operation highlights how cybercriminals are increasingly abusing trusted advertising platforms such as Google Ads. Since many users trust sponsored search results displayed at the top of search pages, attackers are using this trust to redirect victims toward fake login portals. This makes phishing attacks more effective and difficult to detect.
Security researchers are now advising users to avoid depending completely on search engines when accessing important accounts or login pages. Instead, users are encouraged to bookmark official websites and carefully verify URLs before entering usernames or passwords. Experts also recommend enabling multi-factor authentication on all important accounts for additional protection. Although advanced phishing methods can sometimes intercept authentication codes, extra security layers still help reduce the overall risk.
The incident once again shows how phishing attacks are becoming more advanced and professionally designed. Cybercriminals are no longer relying only on suspicious emails because they are now exploiting trusted platforms like Google Ads to target victims directly. Researchers warn that users should remain cautious even while clicking sponsored search results online. The WrongPress campaign is another reminder that even trusted online advertisements can sometimes be used to spread phishing attacks and steal sensitive information.
Stay alert, and keep your security measures updated!
Source: Follow cybersecurity88 on X and LinkedIn for the latest cybersecurity news
