Spam emails promising financial rewards, miracle health products, gambling bonuses, or urgent payment requests are a familiar nuisance. What is less obvious is the infrastructure that sits behind them.
Our investigation uncovered a large-scale network of 12,704 internet-facing servers that appear to support spam and phishing campaigns. The operation uses Google Cloud Storage links as an initial redirect layer before sending visitors to attacker-controlled infrastructure. Those servers, in turn, serve near-identical landing pages containing content scraped from The New York Times, apparently to provide benign-looking pages to security scanners, researchers, and visitors who are not selected targets.
Key findings at a glance
- Phishing emails related to fake financial rewards, health solutions, and payment requests were linked to 12,704 servers in 55 countries
- The campaign abuses Google Cloud Storage links in an attempt to improve deliverability and reduce suspicion
- The servers redirected to near-identical landing page templates containing scraped New York Times news content, intended to serve benign content to scanners and unrecognised visitors while redirecting identified targets to phishing pages
- Pages hosted by the identified servers used the insecure http protocol
- 99.8% of observed hosts run end-of-life software
- Infrastructure was distributed across 412 hosting providers, which makes takedown efforts complicated
- 89% of servers have no prior abuse reports, suggesting much of the infrastructure was recently provisioned, rapidly rotated, or used primarily for redirection and staging
Unsolicited emails promising rewards or issuing threats are depressingly commonplace. From gambling sites offering ‘free spins’ to requests for payment details from seemingly legitimate tech companies and dubious solutions for exaggerated health issues, the list is endless.
Rather than individual operators, our research suggests large-scale coordination.
A distinctive CSS path repeated across several phishing pages allowed us to identify 12,704 hosts all serving near-identical landing pages (a news feed scraped from the New York Times).
Moreover, these servers all ran end-of-life software, meaning there are no more security updates. That could indicate the operators prioritize disposability over longevity.
The overwhelming majority of servers (99.98%) were running just four Apache software configurations:
- 69% were running Apache/2.4.52 (Ubuntu)
- 21% were running Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/7.4.33
- 6% were running Apache/2.4.41 (Ubuntu)
- 4% were running Apache/2.4.58 (Ubuntu)
This suggests the infrastructure was deployed from a small number of server images or automated deployment templates rather than being assembled manually on a host-by-host basis.
The link between these servers and phishing emails begins with Google – specifically, Google’s Cloud Storage.
Why Google Cloud Storage is attractive to attackers
A typical phishing email consists of a web page with a prominent button to claim an offer or make a payment.
These buttons initially appear to lead to a legitimate Google address (attackers commonly abuse trusted services such as Google because users are more likely to recognise and trust familiar brands).
For example:
https://storage.googleapis.com/hjjh0hj0hj01jh01hj01jhhjhjjhhj/listcheap.html#/redirect.html?syx=1x16a04b803a89b4_vl_pick.jvo7y23chm2-1a11s5k.5ityh7a.mwabsdtAMjNjaG0yLTFhMTFzNWs0b1cjP
The Google-owned part of the URL – https://storage.googleapis.com/ – refers to Google Cloud Storage. New Cloud Storage customers get $300 in free credits and can create a storage bucket in minutes, to which they can upload HTML and Javascript files.
Redirecting traffic
JavaScript runs in a user’s browser. In the phishing emails, Javascript code redirects to another attacker-controlled domain. This obscures the final destination from basic scanners and means that Google itself isn’t directly hosting anything malicious. Attackers can easily swap redirect destinations by changing the Javascript within the page.
Separating Google-hosted redirect pages from the final destination infrastructure provides attackers with operational flexibility. Redirect destinations can be changed without altering links already embedded in spam campaigns, allowing infrastructure to be replaced or rotated while preserving the original email content.
Having followed the links of 50 Google-hosted phishing emails (in a sandboxed environment), we were repeatedly directed to seemingly identical – though benign – landing pages. This is the mechanism by which the NYT-scraped landing pages serve their purpose: not as cover for all visitors, but as the default response for anyone the infrastructure doesn’t recognise as a valid target.
This behaviour is consistent with infrastructure that selectively delivers content based on characteristics such as location, browser type, referral source, or visitor reputation. While the true filtering logic could not be determined, the presence of benign content suggests some visitors may receive different content than others.
In addition to their similar visible content, these pages also all contained the same asset path:
assets/ayt/css/main.css
We used this string to identify similar servers using the Shodan search engine. The results point to a global network of 12,704 similarly configured servers being used to host phishing email redirects.
Hosting providers
This infrastructure was distributed across VPS/dedicated server providers rather than residential ISPs. HostPapa was most commonly used (630 hosts), followed by velia.net (453 hosts), OVH SAS (438 hosts), and Leaseweb (423 hosts).
OVH has historically appeared in anti-spam and threat-intelligence datasets. It acknowledges the problem with spammers using its infrastructure and publishes guidance for customers whose IP addresses have been reported by anti-spam organisations. Leaseweb also maintains dedicated resources covering IP blacklisting and abuse prevention, reflecting the prevalence of abuse complaints by customers. Neither observation suggests wrongdoing by the providers themselves.
Hosting providers were spread across 55 countries, which suggests deliberate geographic diversification. Distributing infrastructure across dozens of providers and jurisdictions increases resilience against takedown efforts. Even if individual hosting companies remove abusive servers, the broader infrastructure can continue operating across other providers and regions.
Around a quarter of the servers are hosted in the US, which is a major commercial hosting region. However, there is also a strong representation from low-cost VPS markets such as Turkey and Romania. Research suggests low-cost hosting and automated registration ecosystems correlate strongly with phishing abuse.
Previous malicious activity
To determine whether this infrastructure had been associated with previous malicious activity, we checked a large sample (5,000) of IP addresses against AbuseIPDB, a crowd-sourced threat intelligence platform that tracks IP addresses reported for spam, fraud, malware distribution, scanning activity, and hacking attempts.
The results showed that 89 percent of the IP addresses had no established abuse history. The low level of historical reporting strongly suggests that much of the infrastructure was either recently provisioned, rapidly rotated, or used primarily as intermediate redirector and staging infrastructure rather than directly hosting malware payloads. This approach can reduce the effectiveness of reputation-based security controls, which often rely on historical abuse data to identify malicious systems.
Evidence of coordinated infrastructure
Several characteristics suggest this was not a collection of unrelated phishing websites. The servers shared identical landing page content, common asset paths, similar software stacks, end-of-life operating environments, and consistent redirect behaviour. Together, these similarities indicate the possible use of a shared deployment toolkit, common service provider, or centrally managed infrastructure rather than independently developed campaigns.
What victims should know
Anyone who enters personal information, including names, addresses, passwords, or payment details, on any page reached via an unsolicited email link should treat that information as compromised. Passwords should be changed immediately, particularly if reused across multiple services. Financial accounts should be monitored for unusual activity.
Clicking a link and reaching a page showing news content does not mean nothing happened. The click itself confirmed to the operator that the email address is live. Such addresses are likely to receive increased spam volumes in future. No further action is required if the link was clicked but no personal information was entered on any subsequent page.
Conclusion
The evidence points to a large, highly repeatable spam-delivery ecosystem rather than a collection of isolated phishing websites. Across more than 12,000 servers in 55 countries, we found the same landing page content — a news feed scraped from the New York Times — served via the same asset paths, on the same end-of-life software configurations, deployed through the same small set of server images. The probability of this pattern emerging independently across thousands of unrelated operators is negligible.
The use of Google Cloud Storage as a redirect layer adds a further layer of coordination: it requires an active Google account, deliberate JavaScript engineering to obscure the final destination, and ongoing maintenance to rotate redirect targets as infrastructure is replaced. This is not the behaviour of scattered opportunists reusing a common kit — it is the behaviour of a managed operation.
The infrastructure appears designed around three priorities: deliverability, evasion, and resilience. Google-owned domains improve the former; selective content delivery and benign-looking landing pages serve the second. Distribution across 412 providers and dozens of jurisdictions ensures that takedowns remain local problems rather than fatal ones.
What remains unknown is the scale of harm. The analysis cannot determine how many emails were sent, how many recipients clicked, or how many entered personal information. What it does establish is that the infrastructure to do this at a very large scale exists, is active, and has been deliberately engineered to be difficult to disrupt.
Methodology
All analysis was conducted using publicly available tools. Any.run was used to safely open and analyse the URLs in spam emails received unsolicited in a standard consumer email account.
The Shodan query used to identify hosts was:
http.html:”assets/ayt/css/main.css”
This identified 12,704 servers. Shodan tagged 12,674 of these as running end-of-life software.
To find configurations, we took a sample of 5,000 servers. These were configured as follows:
- Apache 2.4.52 (Ubuntu): 3,462 hosts: 69.24% of total
- Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/7.4.33: 1,031 hosts: 20.62% of total
- Apache/2.4.41 (Ubuntu): 319 hosts: 6.38% of total
- Apache/2.4.58 (Ubuntu): 187 hosts: 3.74% of total
- nginx/1.10.1: 1 host: 0.02% of total
We used the percentage of the sample total as being representative of the 12,704 hosts identified by Shodan.
From the sample of 5,000 hosts, we identified 4,610 unique IP addresses (92.2%). AbuseIPDB (crowd-sourced IP reputation database) was used for IP reputation analysis. Again, the proportion was assumed to be representative of the 12,704 hosts identified by Shodan.
The analysis identifies infrastructure associated with spam and phishing distribution but cannot determine the total volume of emails sent, the number of victims targeted, or the ultimate operators responsible for the campaign.
We also used the 5,000 host sample to verify landing pages. We examined every 100th IP address to confirm that each served a variation of the same NYT-based landing page.