When a suspicious email arrives promising a financial reward or demanding urgent payment, the infrastructure behind it is likely far more elaborate than a simple malicious link. According to an investigation by Comparitech, a coordinated phishing and spam network has been discovered operating across 12,704 servers in 55 countries, all linked to a single campaign that relies on trusted Google Cloud domains to evade detection.
The scale of the operation
The research identified the network through a single CSS file path — assets/ayt/css/main.css — repeated identically across thousands of servers. This pattern, Comparitech reported, points to a centralized deployment rather than independent operators. Of the 12,704 servers identified, 99.8% ran end-of-life software with no active security updates. The servers were spread across 412 hosting providers in dozens of jurisdictions, a geographic spread almost certainly deliberate: takedowns targeting one provider leave the rest of the network intact.
| Metric | Value |
|---|---|
| Total servers | 12,704 |
| Countries involved | 55 |
| Servers running end-of-life software | 99.8% |
| Servers with no prior abuse history | 89% (of 5,000 checked) |
| Hosting providers | 412 |
Checking 5,000 of those servers against a crowd-sourced IP reputation database revealed that 89% carried no prior abuse history. Comparitech noted that this suggests the infrastructure was either recently provisioned or rotated frequently enough to stay ahead of antivirus and threat intelligence systems.
How the phishing campaign works
The campaign begins with unsolicited emails promoting financial rewards, health products, gambling offers, or urgent payment requests through embedded links. Rather than directing recipients immediately to attacker-controlled websites, the links first route through Google Cloud Storage pages hosted on Google's infrastructure. Comparitech explained that this matters because familiar Google domains generally attract less scrutiny from users and automated filtering systems than unknown websites. Google-owned URLs passed easily through email gateways, firewalls, and reputation filters that routinely extend trust to Google domains without deeper inspection.
Researchers found that attackers uploaded simple HTML and JavaScript files to cloud storage locations, allowing them to redirect visitors elsewhere without placing obviously malicious content on Google's servers. This separation between the initial link and the final destination also provides operational flexibility: redirect destinations can be changed at any time without requiring modifications to emails already distributed.
During testing, researchers repeatedly encountered nearly identical landing pages displaying news content copied from The New York Times. These pages appeared designed to serve as harmless decoys for security products, researchers, and visitors who did not meet specific selection criteria.
Consequences for victims
Anyone who entered personal information on any page reached through one of these emails should treat that data as compromised. Comparitech advised that such users must change their passwords immediately, especially where the password is reused across multiple services. It is also important to constantly monitor all financial accounts for unusual activities, no matter how small.
Clicking a link without entering any information still carried a consequence: that click confirmed to the operators that the email address was live and active. This means the email is likely to receive increased volumes of spam in the future, raising the risk of exposure to additional phishing attempts and fraudulent schemes.
Implications for supply chain cybersecurity
For enterprise technology decision-makers, especially those in supply chain and logistics, this campaign highlights the growing sophistication of phishing operations that can bypass conventional email security. Supply chain personnel often receive invoices, payment requests, and shipping notifications—making them prime targets for scams that impersonate trusted partners. The use of Google Cloud as a redirector underscores the need for security awareness training that includes recognizing legitimate-looking but malicious links, even on trusted domains.
The scale—12,704 servers in 55 countries—and the fact that 89% of checked servers had no prior abuse history indicate that threat actors are investing in infrastructure that can evade reputation-based blocklists. Supply chain technology leaders should consider layered defenses: email authentication, URL sandboxing, and user education focused on verifying unexpected financial or shipping requests through secondary channels.
Sources:
