Phishing Campaign Went Undetected for Over 3 Years on Google Cloud and Cloudflare

A sophisticated phishing operation has been running undetected for over three years across Google Cloud and Cloudflare infrastructure, impersonating major corporations including defense contractor Lockheed Martin.

The campaign, which utilized advanced cloaking techniques and compromised expired domains, demonstrates a concerning failure in detection capabilities by two of the internet’s largest service providers.

The operation began with attackers acquiring expired domains that previously belonged to legitimate organizations, then deploying cloned websites of Fortune 500 companies.

The scheme specifically targeted high-value domains with established reputations and active social media communities, making the impersonations more convincing to unsuspecting users.

One notable case involved the domain militaryfighterjet.com, which originally hosted content about military aircraft but was transformed into a gambling site that simultaneously served as a perfect clone of Lockheed Martin’s corporate website.

The attackers employed sophisticated cloaking technology that presented different content based on the visitor’s user agent and geographic location.

When accessed by search engine crawlers or through Google search results, users would see legitimate-looking clones of corporate websites.

However, direct browser access revealed gambling content, creating a dual-purpose infrastructure that evaded automated detection systems while serving illicit content to real users.

Deep Specter Research analysts identified this massive operation through their investigation of the militaryfighterjet.com domain transformation.

Their analysis revealed that the infrastructure comprised over 48,000 active virtual hosts organized into 86 distinct clusters, with the majority hosted on Google Cloud platforms in Hong Kong and Taiwan.

The researchers discovered evidence of the operation dating back to 2021, with significant expansion periods coinciding with major cybersecurity incidents and data breaches worldwide.

Technical Infrastructure and Attack Methodology

The campaign’s technical sophistication becomes apparent when examining the underlying infrastructure and deployment methods.

Deep Specter Research analysts noted that the attackers utilized HTTrack Website Copier, a legitimate web scraping tool, to create pixel-perfect replicas of target organizations’ websites.

Evidence of this tool’s usage was found embedded in the HTML comments of cloned sites, including timestamps showing when specific sites were copied.

The operation’s source code analysis revealed strategic implementation details that made detection particularly challenging.

The cloaking system examined HTTP headers, user agent strings, and IP geolocation data to determine whether visitors were legitimate users, search engine bots, or security researchers.

This selective content delivery allowed the malicious sites to maintain high search engine rankings while serving gambling content and potential malware to targeted demographics.

The infrastructure demonstrated remarkable resilience and scalability, with attackers maintaining over 200 cloned brands across multiple industries including military, healthcare, and manufacturing sectors.

The largest single cluster contained nearly 6,000 virtual hosts serving cloned content of a single organization, suggesting this may represent preparation for a large-scale breach campaign.

Analysis of the network architecture revealed eight upper-tier management hosts coordinating 78 regular cluster managers, indicating a hierarchical command structure typical of professional cybercriminal operations.

The attackers strategically leveraged the trusted nature of Google Cloud and Cloudflare infrastructure to bypass security filters and maintain persistence across their extensive network of compromised domains.

Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.