What Happened
Guardio Labs disclosed on May 7, 2026 an active credential-harvesting campaign targeting users of ManageWP, GoDaddy’s platform for centrally managing fleets of WordPress websites. Attackers placed malicious sponsored ads in Google Search results that appear above the legitimate ManageWP listing, redirecting users to a convincing phishing page.
What makes this campaign technically notable is its use of a live adversary-in-the-middle (AiTM) proxy. Unlike static phishing pages that simply collect usernames and passwords, the AiTM setup relays the victim’s credentials to the legitimate ManageWP service in real time. When ManageWP prompts for a two-factor authentication code, the attacker intercepts and forwards it immediately, completing the authentication before the victim realizes anything is wrong. The result: attackers gain a fully authenticated session — bypassing MFA entirely — within seconds of the victim submitting their credentials.
Guardio Labs successfully infiltrated the attacker’s command-and-control infrastructure and observed a dropdown-driven operator console enabling interactive, real-time phishing control. Russian-language code in the C2 included a disclaimer denying operator responsibility for illegal use — a common attempt to insulate the tooling’s author from liability. At least 200 victims have been confirmed. ManageWP’s plugin is active on more than one million websites, representing the potential scale of downstream impact.
Why This Matters for Canadian Organizations
ManageWP is heavily used across Canada’s managed service provider (MSP) community, web development agencies, digital marketing firms, and WordPress-dependent small and medium businesses. A single compromised ManageWP account typically grants control over dozens to hundreds of client websites simultaneously — enabling attackers to inject payment card skimmers, redirect traffic to malware distribution sites, steal stored credentials, or deploy ransomware across entire client portfolios in a single operation.
For Canadian MSPs operating under frameworks like OSFI B-13 or serving clients with PIPEDA obligations, a ManageWP account breach is not a single-organization incident — it is a multi-client supply chain event. Every site under management becomes a potential breach vector. The AiTM technique’s ability to defeat standard MFA protections is a direct challenge to organizations that believe MFA alone is sufficient defense against phishing. It is not, against real-time relay attacks.
Google Ads abuse as a distribution mechanism is a deliberate choice by attackers: it places malicious pages at the top of search results for users actively seeking to log in, targeting the moment of highest intent and lowest suspicion. Canadian users searching for “ManageWP login” or similar terms are at direct risk right now.
What to Do
Do not search for ManageWP in Google and click on sponsored results — navigate directly to the known legitimate URL. Audit your ManageWP account for unauthorized sessions or recent logins from unfamiliar IP addresses and revoke any suspicious sessions immediately. Enable login notifications within ManageWP so any new session triggers an alert. If your organization uses ManageWP across a client portfolio, notify clients whose sites are under management and conduct a brief integrity check on site files for unexpected injections. Consider adopting phishing-resistant MFA methods such as FIDO2 hardware keys or passkeys for ManageWP and other web platform accounts — these are not vulnerable to AiTM relay attacks in the way TOTP codes are. Brief your team on AiTM phishing techniques, emphasizing that receiving a valid MFA prompt is not proof the login page is legitimate.
Source: BleepingComputer
