Phishing Campaign Targets ManageWP Credentials
A recent phishing campaign has been discovered, targeting credentials for ManageWP, GoDaddy's platform for managing fleets of WordPress websites. The campaign uses an adversary-in-the-middle (AitM) approach, where the fake login page acts as a real-time proxy between the victim and the legitimate ManageWP service.
ManageWP is a centralized remote administration platform for WordPress websites, enabling users to manage multiple sites from a single panel instead of logging into separate dashboards. Common users include web developers, web agencies managing client sites, and enterprises.
How the Phishing Campaign Works
Researchers at Guardio Labs warn that the fake result is displayed above the real one for the 'managewp' query, luring users who rely on Google to find the URL for logging into ManageWP. Users clicking on the malicious result are taken to a login page that looks identical to the real one. However, any credentials typed in are delivered to a Telegram channel controlled by the attacker.
Unlike the more common phishing pages that capture username and password pairs, the campaign uses a live AiTM setup, as the attacker uses the credentials to log into the platform in real-time. The victim is then served a fake prompt to enter the two-factor authentication (2FA) code, which the threat actor uses to gain access to the ManageWP account.
Scope of the Attack
Guardio Labs head researcher Nati Tal told BleepingComputer that each ManageWP account typically hosts hundreds of sites. According to WordPress.org stats, ManageWP's plugin, which gives the platform control over registered sites, is active on more than 1 million websites.
Guardio Labs was able to infiltrate the attacker's command-and-control (C2) infrastructure and observed a dropdown command system that enables an interactive and operator-driven phishing flow. The platform does not seem to be part of a commodity kit but rather a private phishing framework.
Interesting Findings
Interestingly, the researcher found embedded in the code a Russian-language agreement, in which the author denounces responsibility for illegal activity, includes an educational/research use disclaimer, and prohibits public leaks of panel files or use against Russia-based systems.
Guardio Labs has captured victim data from the attackers and started to contact victims to alert them about the exposure. The researchers have confirmed 200 unique victims at the time of writing.
- ManageWP is a centralized remote administration platform for WordPress websites.
- The phishing campaign uses an AitM approach, where the fake login page acts as a real-time proxy between the victim and the legitimate ManageWP service.
- Each ManageWP account typically hosts hundreds of sites.
- ManageWP's plugin is active on more than 1 million websites.
The discovery of this phishing campaign highlights the importance of being cautious when clicking on links, even if they appear to be legitimate. It is essential to verify the authenticity of the website and to use strong, unique passwords for all accounts.
Each ManageWP account typically hosts hundreds of sites. - Nati Tal, Guardio Labs head researcher
As the threat landscape continues to evolve, it is crucial to stay informed about the latest phishing campaigns and to take proactive measures to protect against these types of attacks.
Related Articles
- TikTok for Business accounts targeted in new phishing campaign
- cPanel, WHM emergency update fixes critical auth bypass bug
- New Bluekit phishing service includes an AI assistant, 40 templates
- New VENOM phishing attacks steal senior executives' Microsoft logins
- Hackers exploit critical flaw in Ninja Forms WordPress plugin
Source: BleepingComputer