Google sponsored search ManageWP phishing campaign
Campaign
Summary
Hide ▲
Show ▼
A phishing campaign is abusing Google sponsored search results to impersonate ManageWP and steal login credentials, 2FA codes, and account access. The operation matters because each compromised account can control hundreds of WordPress sites, and 200 unique victims had already been confirmed. The attacker is using a live adversary-in-the-middle (AitM) flow and sending captured credentials to Telegram.
Related Happenings
RubyGems pauses new account signups during major malicious attack
Security Tool/Service
First: 12.05.2026 17:47
Last: 12.05.2026 17:47
Sources 1
About this happening:
**RubyGems** temporarily disabled **new account registration** after a **major malicious attack**, disrupting a core **Ruby package-registry** service while operators contain the...
RubyGems pauses new account signups during major malicious attack
Security Tool/ServiceAbout this happening: **RubyGems** temporarily disabled **new account registration** after a **major malicious attack**, disrupting a core **Ruby package-registry** service while operators contain the...
Open-source admin tool zero-day 2FA bypass exploitation wave
Exploitation Wave
First: 11.05.2026 18:45
Last: 11.05.2026 18:45
Sources 1
About this happening:
Google identified a **mass vulnerability exploitation operation** using a **zero-day 2FA bypass** against a **popular open-source, web-based system administration tool**, creating...
Open-source admin tool zero-day 2FA bypass exploitation wave
Exploitation WaveAbout this happening: Google identified a **mass vulnerability exploitation operation** using a **zero-day 2FA bypass** against a **popular open-source, web-based system administration tool**, creating...
Vercel v0.dev phishing campaign using GenAI-built lure pages
Campaign
First: 07.05.2026 11:30
Last: 07.05.2026 11:30
Sources 1
About this happening:
A campaign using **Vercel v0.dev** to build **highly convincing phishing pages** has lowered the skill and cost needed to run fraudulent sign-in and job-lure attacks. The activity...
Vercel v0.dev phishing campaign using GenAI-built lure pages
CampaignAbout this happening: A campaign using **Vercel v0.dev** to build **highly convincing phishing pages** has lowered the skill and cost needed to run fraudulent sign-in and job-lure attacks. The activity...
AccountDumpling Google AppSheet Facebook phishing campaign
Campaign
First: 01.05.2026 21:09
Last: 01.05.2026 21:09
Sources 1
About this happening:
A **Vietnamese-linked** operation dubbed **AccountDumpling** is using **Google AppSheet** as a phishing relay to steal **Facebook** credentials, enabling account takeover at scale...
AccountDumpling Google AppSheet Facebook phishing campaign
CampaignAbout this happening: A **Vietnamese-linked** operation dubbed **AccountDumpling** is using **Google AppSheet** as a phishing relay to steal **Facebook** credentials, enabling account takeover at scale...
Scattered Spider SMS phishing and SIM-swap crypto theft campaign
Campaign
First: 20.04.2026 16:33
Last: 20.04.2026 16:33
Sources 1
About this happening:
The **Scattered Spider** campaign used **SMS phishing** and **SIM swap** attacks to steal employee credentials, hijack phone numbers, and take over email and **virtual currency wa...
Scattered Spider SMS phishing and SIM-swap crypto theft campaign
CampaignAbout this happening: The **Scattered Spider** campaign used **SMS phishing** and **SIM swap** attacks to steal employee credentials, hijack phone numbers, and take over email and **virtual currency wa...
Timeline
-
07.05.2026 00:36 2 articles · 20d ago
Google sponsored search phishing against ManageWP
Initial DisclosureGuardio Labs reported a phishing campaign abusing Google sponsored search results to impersonate ManageWP, GoDaddy’s platform for managing fleets of WordPress websites, and steer victims to a fake login page that acts as a real-time adversary-in-the-middle (AitM) proxy. The campaign captures usernames, passwords, and 2FA codes, sends stolen credentials to a Telegram channel controlled by the attacker, and had reached 200 unique victims while the researchers were contacting exposed users.
Show sources
- Hackers abuse Google ads for GoDaddy ManageWP login phishing — www.bleepingcomputer.com — 07.05.2026 00:36
- Hackers abuse Google ads for GoDaddy ManageWP login phishing — www.bleepingcomputer.com — 07.05.2026 00:36