Cybercriminals are reportedly leveraging fraudulent Google advertisements to capture login details from users of ManageWP, a renowned platform by GoDaddy for managing WordPress sites. This deceptive campaign, identified as ‘WrongPress’ by researchers, strategically places fake ads above genuine ManageWP listings, ensnaring users before they spot the deceit.
Major Risks for Web Administrators
ManageWP serves a critical role for web developers, digital agencies, and large enterprises tasked with overseeing numerous websites. With over one million installations of the ManageWP Worker plugin, according to WordPress.org, a single compromised account offers attackers unprecedented access to a vast network of sites.
The attack is triggered when a user searches for ‘managewp’ on Google, displaying a counterfeit ad above the legitimate link. Guardio Labs, the cybersecurity firm that uncovered this scheme, cautions that even vigilant users might be deceived due to the ad’s convincing placement.
The Deceptive Mechanics of the Attack
A distinguishing feature of this threat is the meticulous replication of the real ManageWP login interface, leaving unsuspecting users vulnerable to credential theft. Once a user inputs their login information, the details are covertly transmitted to an attacker-controlled channel.
Guardio Labs has already identified at least 200 victims and is actively working to notify those affected. By penetrating the attacker’s infrastructure, researchers have gained insights into the campaign’s scope and methods.
Protective Measures for Website Owners
The attack chain is designed to bypass both Google’s ad review systems and user suspicion. It uses a cloaker to filter out automated inspections, allowing only genuine users to encounter the malicious page. This strategy enables attackers to evade detection and manipulate Google Ads to their advantage.
Once on the fake page, a live intermediary attack, known as adversary-in-the-middle (AiTM), captures the victim’s credentials and forwards them to the real ManageWP site. Even two-factor authentication is rendered ineffective, as attackers can utilize the code in real time.
Experts recommend avoiding ads when accessing login pages and suggest bookmarking official URLs or entering them directly. Employing advanced security measures like hardware keys can further safeguard against such phishing attempts.
The ‘WrongPress’ campaign underscores the growing sophistication of online threats. Ensuring the authenticity of links before clicking is crucial as cybercriminals continue to exploit search advertising for malicious ends.
