Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
Critical Cursor RCE: CVE-2024-XXXXX lets Git repos auto-execute code
July 15, 2026
Gemini CLI Vulnerability Lets Attackers Build Botnets in Minutes
July 15, 2026
US Charges Two Bulletproof Hosting Firms for Aiding Cybercrime
July 15, 2026
Home/Threats/Critical GoDaddy ManageWP Flaw Lets Attackers Steal Credentials
Threats

Critical GoDaddy ManageWP Flaw Lets Attackers Steal Credentials

Key Takeaways A sophisticated phishing campaign, dubbed “WrongPress,” is targeting GoDaddy ManageWP users through deceptive Google advertisements. Attackers are using fake sponsored...

Jennifer sherman
Jennifer sherman
May 7, 2026 3 Min Read
57 0

Key Takeaways

  • A sophisticated phishing campaign, dubbed “WrongPress,” is targeting GoDaddy ManageWP users through deceptive Google advertisements.
  • Attackers are using fake sponsored search results to direct users to highly convincing imposter login pages.
  • The campaign employs an Adversary-in-the-Middle (AiTM) technique to bypass two-factor authentication and steal credentials in real-time.
  • Compromised ManageWP accounts pose a significant risk, potentially granting attackers control over hundreds of WordPress websites.

Cybercriminals are leveraging fraudulent Google advertisements to compromise login credentials for GoDaddy’s ManageWP platform, a critical tool for centralized WordPress website administration. This ongoing operation, identified as “WrongPress” by researchers, positions malicious sponsored search results above legitimate ManageWP listings, effectively luring users into a credential harvesting scheme before they can discern the deception.

Table Of Content

  • Key Takeaways
  • The “WrongPress” Attack Vector
  • Hackers Exploit Google Ads for Credential Theft
  • The Extensive Risk to WordPress Site Owners
  • What You Should Do

ManageWP is extensively utilized by web developers, digital agencies, and enterprises to oversee numerous client websites simultaneously. The compromise of a single ManageWP account can therefore provide attackers with a substantial foothold across an entire portfolio of web properties. With the ManageWP Worker plugin active on over one million websites, according to WordPress.org, the potential impact of such an attack is exceptionally high.

The “WrongPress” Attack Vector

The attack sequence initiates when a user searches for “managewp” on Google. A malicious sponsored advertisement appears prominently at the top of the search results, directly above the authentic ManageWP listing. Researchers at Guardio Labs were the first to detect this campaign, cautioning that even vigilant users might fall prey due to the convincing placement of the fake result.

The sophistication of this campaign lies in its meticulously crafted fake login page, which is an almost identical replica of the genuine ManageWP interface. This near-perfect mimicry leaves few, if any, discernible red flags for the average user. Upon entering their username and password, victims’ credentials are surreptitiously transmitted to an attacker-controlled Telegram channel.

Hackers Exploit Google Ads for Credential Theft

Guardio Labs confirmed at least 200 unique victims at the time of their report and has been actively informing those affected. The research team also successfully infiltrated the attackers’ command-and-control (C2) infrastructure, providing valuable insights into the real-time operational scale of the campaign.

The infection chain is engineered to evade both Google’s ad review mechanisms and user suspicion. When a victim clicks the malicious ad, they are first routed through a cloaker. This tool selectively filters out automated inspection systems while allowing genuine users to proceed, thereby concealing the true origin of the sponsored result and bypassing Google’s scrutiny. For a detailed technical breakdown, see the Guardio Labs report.

Once a genuine visitor is approved by the cloaker, they are redirected to a fake ManageWP login page where an Adversary-in-the-Middle (AiTM) technique is deployed. The attacker’s server functions as a real-time proxy, forwarding stolen credentials to the legitimate ManageWP platform. The victim is then presented with a fraudulent prompt for their two-factor authentication (2FA) code, which the attacker simultaneously uses to complete the actual login, effectively nullifying the protection offered by 2FA.

The operation’s management is facilitated by a C2 server that provides the attackers with a live dashboard to oversee ongoing phishing sessions. Guardio Labs observed that the phishing kit appears to be a proprietary framework, not a readily available tool on underground markets. A Russian-language disclaimer within the code explicitly disavows responsibility for illegal activities and prohibits targeting systems within Russia.

The Extensive Risk to WordPress Site Owners

The implications of this attack extend significantly beyond the theft of a single password. Given ManageWP’s role as a centralized management hub, a compromised account can grant an attacker control over potentially hundreds of websites concurrently. Nati Tal, head researcher at Guardio Labs, affirmed that each account typically manages numerous sites, enabling attackers to inject malware, redirect traffic, or harvest sensitive visitor data on a massive scale.

What You Should Do

  • Avoid Sponsored Search Results: When navigating to login pages for frequently used services, avoid clicking on sponsored ads.
  • Bookmark Official URLs: Save the official login page URL as a bookmark in your browser and use it directly.
  • Type URLs Directly: Manually enter the official website address into your browser’s address bar.
  • Monitor Accounts: Regularly review your ManageWP account and associated WordPress sites for any unusual activity or unauthorized logins.
  • Implement Phishing-Resistant 2FA: Where supported, adopt more secure authentication methods such as hardware security keys (e.g., FIDO2/WebAuthn) which are inherently more resistant to AiTM phishing attacks than SMS or app-based 2FA.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackHackerMalwarephishingSecurity

Share Article

Jennifer sherman

Jennifer sherman

Jennifer is a cybersecurity news reporter covering data breaches, ransomware campaigns, and dark web markets. With a background in incident response, Jennifer provides unique insights into how organizations respond to cyber attacks and the evolving tactics of threat actors. Her reporting has covered major breaches affecting millions of users and has helped organizations understand emerging threats. Jennifer combines technical knowledge with investigative journalism to deliver in-depth coverage of cybersecurity incidents.

Previous Post

Fake Call History Apps on Google Play Steal Payments From 7.3M+ Users

Next Post

Critical WatchGuard Agent Vulnerabilities Grant SYSTEM Privileges on Windows

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
FaceTime Call Impersonation Fraud Hijacks Bank Accounts
July 15, 2026
Critical Windows RDP Bugs Expose Sensitive Data, Patch Now
July 15, 2026
LabubaRAT Malware Impersonates NVIDIA to Hijack Windows Systems
July 15, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Emy Elsamnoudy
Emy Elsamnoudy
Jennifer sherman
Jennifer sherman
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us