Google Ads Hijacked for ManageWP Phishing: Paid Search Results Target WordPress Administrators
Threat actors are purchasing Google Ads to rank malicious phishing pages for ManageWP login terms, intercepting administrators searching for legitimate access. This exploits Google's ad system to deliver credential theft at scale against a platform managing thousands of WordPress deployments.
Affected
Threat actors have established a phishing campaign using Google Ads to position malicious login pages in sponsored search results for ManageWP credentials. This technique is particularly effective because users searching for legitimate account login pages often click the first results without scrutiny, and paid search placements carry implicit trust from being displayed alongside organic results. GoDaddy's ManageWP platform is a high-value target: it centralises management of multiple WordPress sites, meaning a single compromised account may grant access to dozens of web properties.
The attack vector exploits a fundamental weakness in search advertising: minimal friction between payment and placement. Unlike organic search results, which require SEO effort and content quality signals, an attacker can register a domain, set up Google Ads, and begin poisoning search results within hours. Google's ad review process, whilst catching obvious malware and financial scams, is less effective against sophisticated phishing pages that mimic legitimate login flows. The attacker likely registered domains closely resembling ManageWP or GoDaddy infrastructure to increase credibility.
Affected users include WordPress agencies, freelancers, and SMBs who rely on ManageWP to manage client sites. Compromise of these accounts creates a pivot point into multiple WordPress installations. Attackers can inject malware, steal sensitive data, modify site content, or establish persistent access across an entire account holder's portfolio. Given that ManageWP administrators often manage hundreds of sites, the blast radius per compromised credential is significant.
Defenders should implement email authentication (SPF, DKIM, DMARC) to reduce phishing follow-up, educate users to verify URLs carefully before entering credentials, and enable multi-factor authentication on ManageWP accounts immediately. Security teams should monitor for anomalous account activities such as bulk site modifications or plugin installations from unknown IPs. GoDaddy should accelerate detection of malicious ads targeting its platforms and work with Google to expedite takedowns.
This campaign reflects a broader trend: phishing is migrating from low-cost email infrastructure to paid advertising platforms where placement velocity and legitimacy perception are higher. As defenders improve email filtering and user awareness, attackers are investing in search ads as a more reliable distribution channel.
Sources