Hackers hijack Google Ads to spread phishing campaign spoofing top GoDaddy tool

ManageWP is GoDaddy’s cloud-based service that lets users manage multiple WordPress sites from a single dashboard. Its users include web developers, agencies running multiple websites for their clients, and enterprises needing more than one site for their business. According to data on WordPress.org, ManageWP’s plugin is installed on more than a million active websites.

Security researchers from Guardio Labs said they found a fake landing page designed to trick users into sharing not just their login credentials, but 2FA codes, as well. The miscreants managed to advertise the page on Google, so whenever someone searches for ManageWP (or, presumably, similar services too), they are shown a dangerous result at the very top.

Russian threat actors?

Those who don’t spot the scam (by analyzing the URL they’re being redirected to) are shown a site that looks almost identical to the legitimate one, and if they log in - their credentials are relayed into a controller-owned Telegram account.

Guardio Labs also said they were able to access the threat actors’ command-and-control (C2) infrastructure, seeing a dropdown menu that allows for an interactive, modular phishing flow. However, the platform doesn’t seem to be a part of a commodity kit - the researchers believe this is a private phishing framework.

The researchers did not attribute the attack, or the platform, to any specific threat actor, but they did find something curious. The platform contains a user agreement, written in Russian, in which the creator rejects any responsibility for illegal conduct and states that the platform is built for educational and research use only.

The terms of service also prohibit the platform to be used against Russians, and the generated data to be publicly leaked.

At the time of writing, at least 200 victims have been confirmed. All of them have been warned about the attack.

Via BleepingComputer