Hackers used Google Cloud links and fake New York Times pages to power a massive global phishing machine | Tech Radar

Overview

News, deals, reviews, guides and more on the newest computing gadgets

Start exploring exclusive deals, expert advice and more

Details

Unlock and manage exclusive Techradar member rewards.

Unlock instant access to exclusive member features.

Get full access to premium articles, exclusive features and a growing list of member rewards.

How scammers use "scraped New York Times content" to trick security scanners — and exploit "free" Google Cloud links to flood your inbox

Scammers built a 12,704-server network which fooled filters

When you purchase through links on our site, we may earn an affiliate commission. Here’s how it works.

More than 12,000 servers supported a coordinated phishing infrastructure worldwide

Google Cloud links helped phishing emails appear safer than reality

Fake New York Times pages acted as decoys for scanners

When a suspicious email lands in your inbox promising financial rewards or urgent payment requests, the infrastructure behind that email is rarely what it appears to be.

An investigation by Comparitech revealed a coordinated spam and phishing network spanning 12,704 servers in 55 countries.

These phishing emails are tied to fake financial rewards and similar scams, using tactics designed to evade security tools such as antivirus and ransomware protection systems that many users depend on.

Trusted Google links help the campaign evade detection

The campaign begins with unsolicited emails promoting financial rewards, health products, gambling offers, or urgent payment requests through embedded links.

Rather than directing recipients immediately to attacker-controlled websites, the links first route through Google Cloud Storage pages hosted on Google's infrastructure.

Pushpaganda exploits Google Discover to spread malicious notifications

Experts warn hackers are hiding malware inside Google's own ad systems — here's what we know

Free email accounts contributing to nearly half of all commercial spam

That approach matters because familiar Google domains generally attract less scrutiny from users and automated filtering systems than unknown websites.

Google-owned URLs passed easily through email gateways, firewalls, and reputation filters that routinely extend trust to Google domains without deeper inspection.

Researchers found that attackers uploaded simple HTML and Java Script files to cloud storage locations, allowing them to redirect visitors elsewhere without placing obviously malicious content on Google's servers.

This separation between the initial link and the final destination also provides operational flexibility for campaign operators.

Redirect destinations can be changed at any time without requiring modifications to emails that have already been distributed to potential victims.

'A foundational block of modern cybercrime': The inside story of a 15,000+ website network using popular ad trackers to peddle AI investment scams

'Cybercriminals are industrializing deception': new report reveals how major global cybercrime syndicates have infiltrated trusted domains with millions now at risk - here's what you need to know

Huge hacking campaign uses spoofed Ghidra, dn Spy, and Spider Foot security tools to harvest ad revenue and serve malware

During testing, researchers repeatedly encountered nearly identical landing pages displaying news content copied from The New York Times.

These pages appeared designed to serve as harmless decoys for security products, researchers, and visitors who did not meet specific selection criteria.

The infrastructure supporting these pages shared common software configurations, matching asset directories, similar redirect behaviour, and largely outdated server environments.

The research identified the network through a single CSS file path — assets/ayt/css/main.css — repeated identically across thousands of servers.

This pattern points to a centralized deployment rather than independent operators - of the 12,704 servers identified, 99.8% ran end-of-life software with no active security updates, spread across 412 hosting providers in dozens of jurisdictions.

That geographic spread was almost certainly deliberate — takedowns targeting one provider leave the rest of the network entirely intact.

Checking 5,000 of those servers against a crowd-sourced IP reputation database revealed that 89% carried no prior abuse history.

This suggests that the infrastructure was either recently provisioned or rotated frequently enough to stay ahead of antivirus and threat intelligence systems.

Anyone who entered personal information on any page reached through one of these emails should treat that data as compromised.

Such users have to change their passwords immediately, especially where the password is reused across multiple services.

Furthermore, it is important to constantly monitor all financial accounts for unusual activities no matter how small they may appear initially.

Clicking a link without entering any information still carried a consequence. That click confirmed to the operators that the email address was live and active.

This means the email is likely to receive increased volumes of spam in the future, raising the risk of exposure to additional phishing attempts and fraudulent schemes.

Follow Tech Radar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds.

Efosa has been writing about technology for over 7 years, initially driven by curiosity but now fueled by a strong passion for the field. He holds both a Master's and a Ph D in sciences, which provided him with a solid foundation in analytical thinking.

You must confirm your public display name before commenting

1NYT Strands hints and answers for Friday, June 12 (game #831)

2NYT Connections hints and answers for Friday, June 12 (game #1097)

3 Quordle hints and answers for Friday, June 12 (game #1600)

4 Quote of the day by Mark Zuckerberg: 'Metaverse isn't a thing a company builds. It's the next chapter of the internet overall' — a prediction that hit wide of the mark

5MSI’s special edition Titan 18HX gaming laptop is incredibly over the top — and I’m obsessed

Tech Radar is part of Future US Inc, an international media group and leading digital publisher. Visit our corporate site.

Key Takeaways

News, deals, reviews, guides and more on the newest computing gadgets
Start exploring exclusive deals, expert advice and more
Unlock and manage exclusive Techradar member rewards
Unlock instant access to exclusive member features
Get full access to premium articles, exclusive features and a growing list of member rewards