252/69 Friday, May 8, 2026
Researchers from Guardio Labs have uncovered a phishing campaign that abuses Google Ads to impersonate the login page of GoDaddy ManageWP, a platform used to manage multiple WordPress websites from a single dashboard. The malicious advertisements appeared above legitimate search results when users searched for the keyword “managewp,” leading victims to fake login pages designed to closely resemble the real service.
The campaign leverages an Adversary-in-the-Middle (AiTM) phishing technique, where the fake website acts as a real-time proxy between the victim and the legitimate ManageWP service. When victims enter their usernames and passwords, the credentials are immediately forwarded to the attackers through Telegram channels and used to log into the real accounts in real time. The phishing page then prompts victims to enter their two-factor authentication (2FA) code, allowing attackers to bypass MFA protections and gain full access to ManageWP accounts even when 2FA is enabled.
The risk associated with this campaign is particularly severe because a single ManageWP account is often used to administer multiple websites, while the ManageWP plugin itself is installed on more than one million websites globally. Researchers confirmed at least 200 victims at the time of reporting. Users are strongly advised to avoid clicking sponsored search results, carefully verify URLs before logging in, and preferably access ManageWP through bookmarks or by manually entering the official domain directly into the browser.