- Cybercriminals abuse Google Ads to lure ManageWP users to fake login pages
- The phishing flow captures credentials and 2FA codes and forwards them to attacker-controlled Telegram accounts
- Researchers have found a customized Russian-language phishing framework with at least 200 confirmed victims so far
Cybercriminals are targeting ManageWP users through a series of malicious Google Ads sponsored search results, security researchers have claimed.
ManageWP is GoDaddy’s cloud-based service that lets users manage multiple WordPress sites from a single dashboard. Its users include web developers, agencies that run multiple websites for their clients, and businesses that need more than one website for their business. According to data on WordPress.org, ManageWP’s plugin is installed on more than one million active websites.
Security researchers from Guardio Labs said they found a fake landing page designed to trick users into sharing not only their login information but also 2FA codes. The criminals managed to advertise the page on Google, so that whenever someone searches for ManageWP (or presumably similar services as well), they are shown a dangerous result at the very top.
Russian threat actors?
Those who do not detect the scam (by analyzing the URL they are redirected to) are shown a site that looks almost identical to the legitimate one, and if they log in – their credentials are forwarded to a controller-owned Telegram account.
Guardio Labs also said they were able to access the threat actors’ command-and-control (C2) infrastructure by viewing a drop-down menu that allows for an interactive, modular phishing flow. However, the platform does not appear to be part of a commodity kit – the researchers believe this is a private phishing framework.
The researchers did not attribute the attack or the platform to any specific threat actor, but they did find something odd. The platform contains a user agreement, written in Russian, in which the creator disclaims any responsibility for illegal behavior and states that the platform is built for educational and research use only.
The terms of service also prohibit the platform from being used against Russians and for the data generated to be leaked publicly.
At the time of writing, at least 200 victims have been confirmed. Everyone has been warned about the attack.
Via Bleeping Computer
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds.
