- More than 12,000 servers supported a coordinated phishing infrastructure worldwide
- Google Cloud links helped phishing emails appear safer than reality
- Fake New York Times pages acted as decoys for scanners
When a suspicious email lands in your inbox promising financial rewards or urgent payment requests, the infrastructure behind that email is rarely what it appears to be.
An investigation by Comparitech revealed a coordinated spam and phishing network spanning 12,704 servers in 55 countries.
These phishing emails are tied to fake financial rewards and similar scams, using tactics designed to evade security tools such as antivirus and ransomware protection systems that many users depend on.
Trusted Google links help the campaign evade detection
The campaign begins with unsolicited emails promoting financial rewards, health products, gambling offers, or urgent payment requests through embedded links.
Rather than directing recipients immediately to attacker-controlled websites, the links first route through Google Cloud Storage pages hosted on Google’s infrastructure.
That approach matters because familiar Google domains generally attract less scrutiny from users and automated filtering systems than unknown websites.
Google-owned URLs passed easily through email gateways, firewalls, and reputation filters that routinely extend trust to Google domains without deeper inspection.
Researchers found that attackers uploaded simple HTML and JavaScript files to cloud storage locations, allowing them to redirect visitors elsewhere without placing obviously malicious content on Google’s servers.
This separation between the initial link and the final destination also provides operational flexibility for campaign operators.
Redirect destinations can be changed at any time without requiring modifications to emails that have already been distributed to potential victims.
During testing, researchers repeatedly encountered nearly identical landing pages displaying news content copied from The New York Times.
These pages appeared designed to serve as harmless decoys for security products, researchers, and visitors who did not meet specific selection criteria.
The infrastructure supporting these pages shared common software configurations, matching asset directories, similar redirect behaviour, and largely outdated server environments.
The scale is difficult to dismiss
The research identified the network through a single CSS file path — assets/ayt/css/main.css — repeated identically across thousands of servers.
This pattern points to a centralized deployment rather than independent operators – of the 12,704 servers identified, 99.8% ran end-of-life software with no active security updates, spread across 412 hosting providers in dozens of jurisdictions.
That geographic spread was almost certainly deliberate — takedowns targeting one provider leave the rest of the network entirely intact.
Checking 5,000 of those servers against a crowd-sourced IP reputation database revealed that 89% carried no prior abuse history.
This suggests that the infrastructure was either recently provisioned or rotated frequently enough to stay ahead of antivirus and threat intelligence systems.
Anyone who entered personal information on any page reached through one of these emails should treat that data as compromised.
Such users have to change their passwords immediately, especially where the password is reused across multiple services.
Furthermore, it is important to constantly monitor all financial accounts for unusual activities no matter how small they may appear initially.
Clicking a link without entering any information still carried a consequence. That click confirmed to the operators that the email address was live and active.
This means the email is likely to receive increased volumes of spam in the future, raising the risk of exposure to additional phishing attempts and fraudulent schemes.
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds.
