Researchers at Comparitech want to understand the systems working behind spam emails that promise some sort of reward, whether it’s cash or those health products that claim to perform miracles.
So, they began an investigation that uncovered 12,704 internet accessible servers operating in 55 countries. Researchers traced the activity after identifying the same CSS file location appearing on phishing related websites.
Comparitech wrote, “Our investigation uncovered a large-scale network of 12,704 internet-facing servers that appear to support spam and phishing campaigns.”
Researchers found near identical websites running on thousands of servers. Every website displayed content copied from The New York Times. Researchers also found matching software configurations and matching redirect behaviour.
Comparitech wrote, “The operation uses Google Cloud Storage links as an initial redirect layer before sending visitors to attacker-controlled infrastructure.”
Researchers concluded that the infrastructure had been built through automated deployment templates rather than manual server setup.
What Was The Purpose Of The Fake New York Times Pages?
Visitors following phishing email trails often landed on pages displaying articles copied from The New York Times. These pages looked harmless and resembled ordinary news websites.
Researchers found that the copied news content acted as a front. Security scanners, researchers and visitors outside the scammers’ target group often saw these pages instead of phishing content.
Comparitech wrote, “Having followed the links of 50 Google-hosted phishing emails (in a sandboxed environment), we were repeatedly directed to seemingly identical though benign landing pages.”
The company continued, “This is the mechanism by which the NYT-scraped landing pages serve their purpose: not as cover for all visitors, but as the default response for anyone the infrastructure doesn’t recognise as a valid target.”
Researchers could not determine exactly how visitors were filtered. They believed factors such as browser type, referral source and geographic location were used when deciding what content people received.
More from News
- Which European Cities Are Backed By The Most Investors?
- Apple Just Added Menopause and Perimenopause Support to the Health App
- Apple Just Started Deleting Apps Nobody Uses – Is Your App At Risk?
- Siri AI Just Launched But Europeans Will Be Watching From The Outside
- Minimus Announces General Availability Of Supply Chain Protection And minicli
- The Highest-Paying Jobs You Can Get Without A Degree In 2026
- VivaTech Is Taking Over The Champs-Élysées – And It’s Free For Everyone
- From Workouts To Managing Jetlag: The British Tech Scale-Up That Just Hit One Million Users Globally Appoints New CEO
How Did Google Cloud Storage Help The Scammers?
Researchers found that phishing emails did not immediately send people to scam websites. Recipients first passed through Google Cloud Storage pages hosted on Google’s infrastructure.
That process gave the emails a more trustworthy appearance because people often recognise Google domains and treat them as legitimate destinations – if it looks familiar to them, surely it must be legit.
TechRadar wrote, “Google-owned URLs passed easily through email gateways, firewalls, and reputation filters that routinely extend trust to Google domains without deeper inspection.”
Researchers found HTML and JavaScript files uploaded to Google Cloud Storage. Those files redirected visitors to websites controlled by scammers.
Comparitech wrote, “Separating Google-hosted redirect pages from the final destination infrastructure provides attackers with operational flexibility.”
The company added, “Redirect destinations can be changed without altering links already embedded in spam campaigns, allowing infrastructure to be replaced or rotated while preserving the original email content.”
That arrangement meant scammers could switch destinations whenever needed without sending a new round of phishing emails.
How Extensive Was The Infrastructure?
Researchers identified servers spread through 412 hosting providers located in dozens of jurisdictions.
Almost every server used software that no longer received security updates. According to Comparitech, 99.8% of observed hosts were running end of life software.
Researchers also examined 5,000 IP addresses using AbuseIPDB, a crowd sourced threat intelligence database. They found that 89% had no previous abuse reports.
Comparitech wrote, “The low level of historical reporting strongly suggests that much of the infrastructure was either recently provisioned, rapidly rotated, or used primarily as intermediate redirector and staging infrastructure rather than directly hosting malware payloads.”
Researchers also found that 69% of sampled servers ran Apache 2.4.52 on Ubuntu. Another 21% ran Apache 2.4.6 on CentOS with OpenSSL and PHP software. The limited range of software versions reinforced the view that the servers came from a small collection of deployment templates.
Comparitech wrote, “Several characteristics suggest this was not a collection of unrelated phishing websites.”
The company continued, “The servers shared identical landing page content, common asset paths, similar software stacks, end-of-life operating environments, and consistent redirect behaviour.”
What Should Victims Do After Clicking?
Researchers said anyone who entered names, addresses, passwords or payment information after following one of these emails should assume that information has been compromised.
Passwords should be changed immediately, particularly when reused on multiple accounts. Financial accounts should receive regular checks for suspicious transactions.
People who clicked a phishing email but entered no information face a different issue. Researchers said the click itself confirmed that the email account was active.
Comparitech wrote, “Clicking a link and reaching a page showing news content does not mean nothing happened.”
The company added, “The click itself confirmed to the operator that the email address is live.”
Researchers could not determine how many emails had been distributed or how many people entered personal information, but their investigation found that there definitely is a coordinated phishing operation operating through all those servers in the different countries.
