A phishing marketing campaign delivered by means of Google sponsored search outcomes is concentrating on credentials for ManageWP, GoDaddy’s platform for managing fleets of WordPress web sites.
The risk actor is utilizing an adversary-in-the-middle (AitM) strategy the place the faux login web page acts as a real-time proxy between the sufferer and the respectable ManageWP service.
ManageWP is a centralized distant administration platform for WordPress web sites, enabling customers to handle a number of websites from a single panel as an alternative of logging into separate dashboards. Frequent customers embody internet builders, internet businesses managing consumer websites, and enterprises.
Researchers at Guardio Labs warn that the faux result’s displayed above the true one for the ‘managewp’ question, luring customers who depend on Google to seek out the URL for logging into ManageWP.
Supply: Guardio Labs
Customers clicking on the malicious outcome are taken to a login web page that appears an identical to the true one. Nonetheless, any credentials typed in are delivered to a Telegram channel managed by the attacker.
In contrast to the extra frequent phishing pages that seize username and password pairs, the marketing campaign makes use of a stay AiTM setup, because the attacker makes use of the credentials to log into the platform in real-time.
The sufferer is then served a faux immediate to enter the two-factor authentication (2FA) code, which the risk actor makes use of to achieve entry to the ManageWP account.
Guardio Labs head researcher Nati Tal instructed BleepingComputer that every ManageWP account usually hosts a whole bunch of websites.
Based on WordPress.org stats, ManageWP’s plugin, which supplies the platform management over registered websites, is lively on greater than 1 million web sites.
Guardio Labs was in a position to infiltrate the attacker’s command-and-control (C2) infrastructure and noticed a dropdown command system that permits an interactive and operator-driven phishing move.
Supply: Guardio Labs
Tal additionally mentioned that the platform doesn’t appear to be a part of a commodity package however fairly a personal phishing framework.
Apparently, the researcher discovered embedded within the code a Russian-language settlement, during which the creator denounces accountability for criminal activity, consists of an academic/analysis use disclaimer, and prohibits public leaks of panel information or use towards Russia-based methods.
Guardio Labs has captured sufferer knowledge from the attackers and began to contact victims to alert them concerning the publicity. The researchers have confirmed 200 distinctive victims on the time of writing.
AI chained 4 zero-days into one exploit that bypassed each renderer and OS sandboxes. A wave of latest exploits is coming.
On the Autonomous Validation Summit (Could 12 & 14), see how autonomous, context-rich validation finds what’s exploitable, proves controls maintain, and closes the remediation loop.
