- More than 12,000 servers supported a coordinated phishing infrastructure around the world
- Google Cloud Links Helped Make Phishing Emails Look Safer Than Reality
- Fake New York Times pages acted as decoys for scanners
When a suspicious email promising financial rewards or urgent payment requests arrives in your inbox, the infrastructure behind that email is rarely what it appears to be.
A Comparitech investigation revealed a coordinated spam and phishing network spanning 12,704 servers in 55 countries.
These phishing emails are linked to fake financial rewards and similar scams, using tactics designed to evade security tools such as antivirus and ransomware protection systems that many users rely on.
Trusted Google Links Help Campaign Avoid Detection
The campaign begins with unsolicited emails promoting financial rewards, health products, gambling offers, or urgent payment requests via embedded links.
Instead of immediately directing recipients to attacker-controlled websites, links are first directed through Google Cloud Storage pages hosted on Google infrastructure.
That approach is important because familiar Google domains generally attract less user scrutiny and automated filtering systems than unknown websites.
Google-owned URLs easily passed through email gateways, firewalls, and reputation filters that routinely extend trust to Google domains without further inspection.
The researchers found that the attackers uploaded simple HTML and JavaScript files to cloud storage locations, allowing them to redirect visitors to other locations without placing obviously malicious content on Google servers.
This separation between the initial link and the final destination also provides operational flexibility to campaign operators.
Redirect destinations can be changed at any time without needing to modify emails that have already been distributed to potential victims.
During testing, researchers repeatedly found nearly identical landing pages displaying news content copied from The New York Times.
These pages appeared designed to serve as harmless lures for security products, researchers, and visitors who did not meet specific selection criteria.
The infrastructure supporting these pages shared common software configurations, matching asset directories, similar redirect behavior, and largely outdated server environments.
The scale is difficult to dismiss.
The investigation identified the network through a single CSS file path (assets/ayt/css/main.css) repeated identically on thousands of servers.
This pattern points to centralized deployment rather than independent operators: of the 12,704 servers identified, 99.8% were running end-of-life software without active security updates, spread across 412 hosting providers in dozens of jurisdictions.
That geographic dispersion was almost certainly deliberate: Removals targeting one provider leave the rest of the network completely intact.
Comparing 5,000 of those servers to a publicly-sourced IP reputation database revealed that 89% had no history of abuse.
This suggests that the infrastructure was recently provisioned or rotated frequently enough to stay ahead of antivirus and threat intelligence systems.
Anyone who enters personal information on any page they reach through one of these emails must treat that data as if it were compromised.
These users should change their passwords immediately, especially when the password is reused across multiple services.
Additionally, it is important to constantly monitor all financial accounts for unusual activity, no matter how small they may initially appear.
Clicking on a link without entering any information still carried a consequence. That click confirmed to the operators that the email address was live and active.
This means that email is likely to receive higher volumes of spam in the future, increasing the risk of exposure to phishing attempts and additional fraudulent schemes.
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds.
