- 12,000+ servers support coordinated phishing infrastructure worldwide
- Google Cloud links made phishing emails appear safer than reality
- Fake New York Times pages served as a decoy for scanners
When a suspicious email arrives in your inbox promising financial rewards or urgent payment requests, the infrastructure behind that email is rarely what it seems.
An investigation by Comparitech revealed a coordinated spam and phishing network spanning 12,704 servers in 55 countries.
These phishing emails are linked to fake financial rewards and similar scams, using tactics designed to evade security tools such as antivirus and ransomware protection systems that many users rely on.
Trusted Google links help campaign evade detection
The campaign begins with unsolicited emails promoting financial rewards, health products, gambling offers or urgent payment requests via embedded links.
Rather than immediately directing recipients to websites controlled by attackers, the links are first routed through Google Cloud Storage pages hosted on Google infrastructure.
This approach is important because familiar Google domains generally attract less attention from users and automated filtering systems than unfamiliar websites.
Google-owned URLs passed easily through email gateways, firewalls, and reputation filters that routinely extend trust to Google domains without further inspection.
Researchers found that attackers uploaded simple HTML and JavaScript files to cloud storage locations, allowing them to redirect visitors elsewhere without placing obviously malicious content on Google’s servers.
This separation between the initial link and the final destination also provides operational flexibility to campaign operators.
Redirect destinations can be changed at any time without requiring changes to emails already delivered to potential victims.
During testing, researchers repeatedly encountered nearly identical landing pages displaying news content copied from The New York Times.
These pages appeared designed to serve as harmless lures for security products, researchers, and visitors who did not meet specific screening criteria.
The infrastructure supporting these pages shared common software configurations, corresponding asset directories, similar redirect behavior, and largely outdated server environments.
The scale is difficult to move aside
The research identified the network via a single CSS file path – assets/ayt/css/main.css – repeated identically across thousands of servers.
This trend indicates centralized deployment rather than independent operators: of the 12,704 servers identified, 99.8% were running end-of-life software without active security updates, spread across 412 hosting providers in dozens of jurisdictions.
This geographic spread was almost certainly deliberate: takedowns targeting one provider leave the rest of the network entirely intact.
Checking 5,000 of these servers against a crowdsourced IP reputation database found that 89% of them had no history of abuse.
This suggests that the infrastructure has been recently commissioned or has been refreshed frequently enough to stay ahead of antivirus and threat intelligence systems.
Anyone who enters personal information on a page accessed via one of these emails should consider that data compromised.
These users should change their password immediately, especially when the password is reused across multiple services.
Additionally, it is important to continually monitor all financial accounts for unusual activity, no matter how small it may initially appear.
Clicking on a link without entering any information always resulted in a consequence. This click confirmed to operators that the email address was up and running.
This means that the email is likely to receive increased volumes of spam in the future, increasing the risk of exposure to additional phishing attempts and fraud schemes.
Follow TechRadar on Google News And add us as your favorite source to get our news, reviews and expert opinions in your feeds.
