Researchers have uncovered what they describe as a “multi-year, industrial-scale phishing and brand impersonation scheme” that operated undetected for more than three years on Google Cloud and Cloudflare. The phishing-as-a-service (PhaaS) network hijacked abandoned domains and cloned websites of Fortune 500 companies, exposing unsuspecting users to credential theft, malware, and fraud.
Algoritha: The Most Trusted Name in BFSI Investigations and DFIR Services
Cloaking and Domain Hijacking
The campaign relied on “cloaking,” a tactic where search engines see legitimate-looking content, while users are redirected to phishing or gambling sites. Expired domains like militaryfighterjet.com were repurposed to display clones of major corporations, including Lockheed Martin, complete with fake login pages. Some cloned pages even loaded resources from the original brand’s servers, adding legitimacy while making detection harder.
Industrial-Scale Infrastructure
Deep Specter’s investigation revealed an enormous cloud-based setup: 86 physical IP addresses hosted on Google Cloud in Hong Kong and Taiwan, managing 44,000 virtual IPs on Google and 4,000 more on other providers. The operation was organized into 80+ clusters, each running cloned content of more than 200 global organizations. Traffic originated from Google, Meta, and Android apps, with at least 265 public detections logged.
Implications for Companies and Cloud Providers
The scheme highlights risks for both corporations and cloud platforms. For businesses, brand impersonation damages trust and can open employees to credential compromise, leading to financial or reputational harm. For cloud providers, it underscores how malicious actors can “ride” trusted infrastructure without raising alarms.
Deep Specter urged firms to proactively monitor for expired or abandoned domains, which attackers routinely weaponize. Hosting companies, meanwhile, must combine threat intelligence and deeper analysis beyond automated detection, as skilled adversaries are adept at evading basic defenses.
The scale and longevity of the operation illustrate the resilience of phishing networks and the ongoing challenge of securing public cloud ecosystems against sophisticated abuse.