What researchers are calling a "multi-year, industrial-scale phishing and brand impersonation scheme" operated undetected for more than three years on Google Cloud and Cloudflare platforms.
The team at Deep Specter Research revealed what they believe was a large-scale
phishing-as-a-service (PhaaS) operation that included 48,000 hosts and more than 80 clusters abusing "high-trust" expired domains, according to
a blog post published this week. The campaign subsequently used these domains to impersonate familiar and high-profile brands for nefarious purposes. It's not a new tactic — the Hazy Hawk group was seen earlier this year
seizing abandoned domains from top-tier organizations, including the Centers for Disease Control, in order to comment ad fraud — but the scale of this particular operation is notable.
"We uncovered a large-scale, cloud-hosted infrastructure that hijacks abandoned or expired domains, then pairs them with cloned websites of major global brands — including Lockheed Martin and many other US and non-US companies," according to the post.
The campaign involved
multiple impersonations of various Fortune 500 companies and delivered malware and gambling content from "brand-trusted resources," according to the post by Deep Specter. The research team noted that the cloned sites expose public companies to potential regulatory and legal liability, not to mention exposing the
phishing victims themselves to credential theft, exposure of sensitive data, and other malicious activities.
"Many of the cloned sites still load resources from the original brand's cloud infrastructure — meaning the original brand may actively be serving content to a malicious impersonator," Deep Specter said in the blog post.
The cloaked sites featured in the operation received traffic from Google, Meta, and Android apps; overall, Deep Specter found 265 public detections of the malicious activity.
Google Sues “Lighthouse” Over Massive Phishing Attacks