The Gaming Boardroom

Phishing Empire Runs Undetected on Google, Cloudflare

Steve Tyler Leave a comment

Phishing Empire Runs Undetected on Google, Cloudflare

Summary

Researchers at Deep Specter Research uncovered a multi-year, industrial-scale phishing-as-a-service (PhaaS) operation that ran largely unnoticed on public cloud infrastructure, primarily Google Cloud and Cloudflare. The campaign abused expired, high-trust domains and used cloaking techniques to present cloned, brand-authentic pages to search engines while serving malicious or gambling content to users. The infrastructure included tens of thousands of virtual hosts and dozens of physical hosts clustered across regions, and cloned content from hundreds of organisations, including major global brands such as Lockheed Martin.

The scheme persisted for more than three years, delivering credential theft and malware while complicating detection because many cloned sites still loaded resources from the legitimate brands’ cloud infrastructure. Deep Specter highlights gaps in automated detection and calls for deeper threat intelligence and active domain hygiene by organisations and cloud providers.

Key Points

  • Deep Specter found what appears to be an industrial-scale PhaaS campaign active for over three years, using cloaking to evade detection.
  • The operation used 48,000 hosts and more than 80 clusters, including 44,000 virtual IPs on Google Cloud and 4,000 on other providers.
  • Attackers hijacked expired “high-trust” domains and paired them with cloned websites of major brands to steal credentials and deliver malware or gambling content.
  • Cloaking served different content to search crawlers versus human visitors, causing search results to show legitimate-looking pages that were malicious.
  • Some cloned sites still load resources from the original brand’s cloud, meaning legitimate services may unknowingly serve content to attackers’ pages.
  • Deep Specter observed 265 public detections and found infrastructure hosted in regions including Hong Kong and Taiwan.
  • Mitigations include actively tracking and reclaiming expired/dormant domains, enhanced threat intelligence, and not relying solely on automated detections by cloud hosts.

Context and Relevance

This story matters because it exposes how large-scale phishing operations can leverage major cloud providers and simple SEO tricks to remain hidden for years. For security teams, it underscores the risk that expired domains and passive DNS records pose to brand reputation and to employee and customer credentials. For cloud providers, it highlights the limits of automation and the need for richer threat analysis and manual review processes when sophisticated cloaking and domain abuse are involved.

Why should I read this?

Quick version: these attackers played hide-and-seek with Google and Cloudflare for years using expired domains and fake brand pages. If you care about keeping your organisation’s brand, employee logins and customer trust intact, this is the sort of clever trick you need on your radar — and the article tells you what to watch for and what to do next.

Author style

Punchy and to the point: this isn’t just another phishing story — it’s a systemic failure example. If you run security, brand or domain teams, read the details. It tells you where the blind spots are and why a quick fix won’t cut it.

Source

Source: https://www.darkreading.com/cloud-security/phishing-empire-undetected-google-cloudflare

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *

Copyright © 2026 The Gaming Boardroom. All rights reserved.