- More than 12,000 servers supported a coordinated phishing infrastructure worldwide
- Google Cloud links helped phishing emails appear more secure than reality
- Fake New York Times pages acted as decoys for scanners
When a suspicious email lands in your inbox promising financial rewards or urgent payment requests, the infrastructure behind that email is rarely what it seems.
An investigation by Comparitech revealed a coordinated spam and phishing network spanning 12,704 servers in 55 countries.
These phishing emails are linked to fake financial rewards and similar scams, using tactics designed to bypass security tools such as antivirus and ransomware protection systems that many users rely on.
Trusted Google links help the campaign avoid detection
The campaign begins with unsolicited emails promoting financial rewards, health products, gambling offers or urgent payment requests through embedded links.
Instead of directing recipients immediately to hacker-controlled websites, the links first route through Google Cloud Storage pages hosted on Google’s infrastructure.
That approach is important because well-known Google domains generally attract less scrutiny from users and automated filtering systems than unknown sites.
Google-owned URLs easily passed through email gateways, firewalls, and reputation filters that routinely extend trust to Google domains without deeper inspection.
Researchers found that attackers uploaded simple HTML and JavaScript files to cloud storage sites so they could redirect visitors elsewhere without placing overtly malicious content on Google’s servers.
This separation between the initial link and the final destination also provides operational flexibility for campaign operators.
Redirect destinations can be changed at any time without requiring changes to emails that have already been distributed to potential victims.
During the test, researchers repeatedly encountered nearly identical landing pages that displayed news content copied from New York Times.
These pages appeared to be designed to act as harmless lures for security products, researchers and visitors who did not meet specific selection criteria.
The infrastructure supporting these sites shared common software configurations, matching asset catalogs, similar redirect behavior, and largely outdated server environments.
The scale is hard to dismiss
The research identified the network through a single CSS file path – assets/ayt/css/main.css – repeated identically across thousands of servers.
This pattern points to a centralized deployment rather than independent operators – of the 12,704 servers identified, 99.8% were running end-of-life software without active security updates, across 412 hosting providers in dozens of jurisdictions.
The geographic spread was almost certainly deliberate – takedowns targeting one provider leave the rest of the network completely intact.
Checking 5,000 of these servers against a crowd-sourced IP reputation database revealed that 89% had no previous abuse history.
This suggests that the infrastructure was either recently provisioned or rotated often enough to stay ahead of antivirus and threat intelligence systems.
Anyone who has entered personal information on a page accessed through one of these emails should treat that data as compromised.
Such users should change their passwords immediately, especially where the password is reused across multiple services.
In addition, it is important to constantly monitor all financial accounts for unusual activities, no matter how small they may appear at first.
Clicking on a link without entering information still has a consequence. That click confirmed to the operators that the email address was live and active.
This means that the email is likely to receive increased amounts of spam in the future, increasing the risk of exposure to further phishing attempts and fraudulent schemes.
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds.
