- Cybercriminals abuse Google Ads to lure ManageWP users to fake login pages
- The phishing flow captures credentials and 2FA codes, and delivers them to Telegram accounts controlled by the attackers.
- Researchers have discovered a personalized Russian-language phishing frame, with at least 200 victims confirmed so far.
Cybercriminals are targeting ManageWP users through a series of malicious search results sponsored by Google Ads, security researchers have claimed.
ManageWP is GoDaddy’s cloud service that allows users to manage multiple WordPress sites from a single dashboard. Its users include web developers, agencies managing multiple websites for their clients, and businesses that need multiple sites for their business. According to WordPress.org data, the ManageWP plugin is installed on over 1 million active websites.
Security researchers at Guardio Labs said they found a fake landing page designed to trick users into sharing not only their login credentials, but also their 2FA codes. The miscreants managed to advertise the page on Google, so every time someone searches for ManageWP (or, presumably, similar services as well), a dangerous result appears at the very top.
Russian threat actors?
Those who don’t spot the scam (by analyzing the URL they are redirected to) see a site that looks almost identical to the legitimate site, and if they log in, their credentials are relayed into a Telegram account belonging to the controller.
Guardio Labs also said it was able to access the threat actors’ command and control (C2) infrastructure, seeing a drop-down menu enabling an interactive and modular phishing flow. However, the platform does not appear to be part of a basic kit: researchers believe it is a private phishing framework.
The researchers didn’t attribute the attack, or the platform, to any specific threat actor, but they did discover something curious. The platform contains a user agreement, written in Russian, in which the creator disclaims any liability for illegal conduct and states that the platform is designed for educational and research purposes only.
The terms of service also prohibit the platform from being used against Russians and the data generated from being publicly disclosed.
At the time of writing, at least 200 casualties have been confirmed. Everyone was warned of the attack.
Via BeepComputer
The best antivirus for every budget
Follow TechRadar on Google News And add us as your favorite source to get our news, reviews and expert opinions in your feeds.
