Cybercriminals are hijacking Google Ads to target users of ManageWP, a cloud-based service by GoDaddy that allows management of multiple WordPress sites. Security researchers from Guardio Labs discovered that attackers are using sponsored search results to direct users to fake login pages designed to capture not only their login credentials but also two-factor authentication (2FA) codes. The phishing scheme has already affected at least 200 victims, who have been alerted about the attack. The malicious ads appear at the top of search results when users look for ManageWP or similar services. The fake landing page closely resembles the legitimate site, making it difficult for users to identify the scam. Guardio Labs accessed the attackers' command-and-control infrastructure, revealing a custom Russian-language phishing framework that is not part of a commercial kit. This framework includes a user agreement that denies responsibility for illegal activities and states that it is intended for educational purposes only. The platform also prohibits targeting Russians or leaking generated data publicly.