Google Ads Abused in GoDaddy ManageWP Login Phishing Scam

A sophisticated phishing campaign is leveraging Google’s sponsored search ads to mimic the login page of ManageWP, GoDaddy’s platform for centrally managing large fleets of WordPress sites. The malicious ads appear at the top of search results for queries such as “ManageWP login,” directing users to domains like "managewp‑login.com" or "managewp‑auth.net" that reproduce the official UI, complete with GoDaddy branding and a valid HTTPS certificate. By capitalizing on the trust associated with both Google’s ad network and the ManageWP service, the attackers increase the likelihood that victims will enter their credentials without suspicion.

The counterfeit login page captures credentials in real time via a backend PHP script, and some variants also request the one‑time password (OTP) used for two‑factor authentication (2FA). Because the phishing kit operates on a live‑stealing model, adversaries can immediately use the harvested username and password—along with any OTP—to authenticate to the legitimate ManageWP API. Once inside, they can exploit ManageWP’s “Team” feature to inject malicious administrator accounts across all sites under the compromised account, push unauthorized plugin updates, or exfiltrate site content and database credentials.

The potential blast radius is significant: ManageWP is a popular tool among web agencies and freelancers who manage dozens to hundreds of WordPress installations from a single dashboard. Successful credential theft could therefore give attackers control over thousands of sites, enabling them to distribute spam, inject SEO‑boosting malware, or even deploy ransomware payloads through automated updates. In recent incidents observed by threat‑intel researchers, the attackers used the compromised dashboards to add hidden admin users and to modify theme files, effectively establishing persistent backdoors on victim sites.

After being notified by security researchers, Google removed the offending sponsored links, and ManageWP issued an advisory urging users to enable hardware‑based 2FA, audit team member lists, and review recent activity logs for unauthorized sessions. Organizations are also advised to avoid clicking sponsored search results and to navigate directly to managewp.com for login. Prompt password resets, revocation of suspicious API tokens, and monitoring for unexpected changes in site configurations are critical steps to mitigate the impact of this ongoing credential‑theft campaign.