Google, velia.net, OVH SAS, HostPapa and Leaseweb: How Spammers Are Hiding Behind Google and the New York Times

Google, velia.net, OVH SAS, HostPapa and Leaseweb: How Spammers Are Hiding Behind Google and the New York Times

Large-Scale Phishing Infrastructure Uncovered: 12,704 Servers Exploit Google Cloud and Scraped NYT Content

A recent investigation has exposed a sophisticated, globally distributed phishing operation leveraging 12,704 internet-facing servers across 55 countries to facilitate spam and credential-harvesting campaigns. The infrastructure, designed for deliverability, evasion, and resilience, abuses Google Cloud Storage as an initial redirect layer before funneling targets to attacker-controlled landing pages many of which mimic The New York Times to deceive security scanners and non-targeted visitors.

Key Findings

  • Scale & Distribution: The network spans 412 hosting providers, with the highest concentrations at HostPapa (630 servers), velia.net (453), OVH SAS (438), and Leaseweb (423). Geographic diversification including heavy use of low-cost VPS markets in Turkey and Romania complicates takedown efforts.
  • Google Cloud Abuse: Attackers exploit Google Cloud Storage to host benign-looking HTML/JS files, using trusted Google domains (e.g., storage.googleapis.com) to bypass initial suspicion. JavaScript redirects then obscure the final phishing destination, allowing operators to rotate infrastructure without updating embedded email links.
  • Deceptive Landing Pages: Servers serve near-identical pages scraped from The New York Times, likely to evade detection by security tools. Only targeted visitors identified via factors like location, browser type, or referral source are redirected to malicious payloads.
  • Outdated & Vulnerable Software: 99.8% of servers run end-of-life (EOL) software, including:
    • Apache/2.4.52 (Ubuntu): 69%
    • Apache/2.4.6 (CentOS) with OpenSSL/1.0.2k-fips: 21%
    • Apache/2.4.41 (Ubuntu): 6%
    • Apache/2.4.58 (Ubuntu): 4%
      The uniformity suggests automated deployment from a small set of server images.
  • Low Abuse History: 89% of IP addresses had no prior reports in AbuseIPDB, indicating either rapid rotation or use as intermediate redirectors to avoid reputation-based blocking.
  • Selective Targeting: The infrastructure appears to filter visitors, serving benign content to scanners while delivering phishing pages to intended victims. The exact filtering logic remains unclear.

Operational Tactics

  1. Initial Contact: Victims receive spam emails with links to Google Cloud Storage URLs, which appear legitimate.
  2. First Redirect: JavaScript on the Google-hosted page redirects to an attacker-controlled server.
  3. Landing Page: Non-targets see NYT-scraped content; targets are sent to phishing pages.
  4. Credential Harvesting: Victims who enter personal or financial data have their information compromised.

Impact & Unknowns

While the investigation confirms the existence and scale of the infrastructure, critical details remain unknown:

  • Total email volume sent via this network.
  • Number of victims who clicked links or submitted data.
  • Identity of the operators, though the coordinated deployment and shared tooling suggest a centralized operation rather than isolated actors.

The campaign’s design distributed hosting, EOL software, and Google Cloud abuse prioritizes persistence and evasion, making disruption difficult. Victims who entered credentials on any linked page should assume their data is compromised. Even clicking a link may confirm an email address as active, increasing future spam exposure.

Source: https://www.comparitech.com/news/how-spammers-are-hiding-behind-google-and-the-new-york-times/

Leaseweb cybersecurity rating report: https://www.rankiteo.com/company/leaseweb

Google Cloud cybersecurity rating report: https://www.rankiteo.com/company/google-cloud

velia.net | Bare Metal Servers cybersecurity rating report: https://www.rankiteo.com/company/velia.net-internetdienste-gmbh

OVHcloud cybersecurity rating report: https://www.rankiteo.com/company/ovhgroup

HostPapa cybersecurity rating report: https://www.rankiteo.com/company/hostpapa

"id": "LEAGOOVELOVHHOS1781109328",
"linkid": "leaseweb, google-cloud, velia.net-internetdienste-gmbh, ovhgroup, hostpapa",
"type": "Cyber Attack",
"date": "6/2026",
"severity": "60",
"impact": "2",
"explanation": "Attack limited on finance or reputation"
{'affected_entities': [{'customers_affected': 'Unknown number of victims',
                        'industry': 'Technology',
                        'location': 'Global',
                        'name': 'Google Cloud Storage',
                        'type': 'Cloud service provider'},
                       {'customers_affected': 'Brand impersonation for '
                                              'phishing',
                        'industry': 'Publishing',
                        'location': 'United States',
                        'name': 'The New York Times',
                        'type': 'Media organization'},
                       {'customers_affected': 'Abused for hosting phishing '
                                              'infrastructure',
                        'industry': 'Technology/Internet',
                        'location': 'Global (Turkey, Romania, etc.)',
                        'name': 'HostPapa, velia.net, OVH SAS, Leaseweb',
                        'type': 'Hosting providers'}],
 'attack_vector': 'Spam emails with malicious links, Google Cloud Storage '
                  'abuse, JavaScript redirects',
 'customer_advisories': 'Victims who entered credentials on any linked page '
                        'should assume their data is compromised. Even '
                        'clicking a link may confirm an email address as '
                        'active, increasing future spam exposure.',
 'data_breach': {'data_exfiltration': 'Likely (credentials harvested)',
                 'personally_identifiable_information': 'Yes',
                 'sensitivity_of_data': 'High (credentials, PII)',
                 'type_of_data_compromised': 'Credentials, personally '
                                             'identifiable information (PII)'},
 'description': 'A recent investigation has exposed a sophisticated, globally '
                'distributed phishing operation leveraging 12,704 '
                'internet-facing servers across 55 countries to facilitate '
                'spam and credential-harvesting campaigns. The infrastructure '
                'abuses Google Cloud Storage as an initial redirect layer '
                'before funneling targets to attacker-controlled landing '
                'pages, many of which mimic The New York Times to deceive '
                'security scanners and non-targeted visitors.',
 'impact': {'data_compromised': 'Credentials, personally identifiable '
                                'information (PII)',
            'identity_theft_risk': 'High',
            'operational_impact': 'Potential compromise of user accounts, '
                                  'increased spam exposure for victims',
            'systems_affected': '12,704 internet-facing servers across 55 '
                                'countries'},
 'initial_access_broker': {'entry_point': 'Spam emails with Google Cloud '
                                          'Storage links'},
 'investigation_status': 'Ongoing',
 'lessons_learned': "The campaign's design prioritizes persistence and evasion "
                    'through distributed hosting, EOL software, and abuse of '
                    'trusted cloud services. Selective targeting and rapid '
                    'infrastructure rotation complicate detection and takedown '
                    'efforts.',
 'motivation': 'Credential harvesting, financial gain',
 'post_incident_analysis': {'corrective_actions': 'Update outdated software, '
                                                  'monitor cloud service '
                                                  'abuse, implement advanced '
                                                  'phishing detection, and '
                                                  'educate users on '
                                                  'identifying phishing '
                                                  'attempts.',
                            'root_causes': 'Exploitation of EOL software, '
                                           'abuse of trusted cloud services '
                                           '(Google Cloud Storage), automated '
                                           'deployment of phishing '
                                           'infrastructure, and selective '
                                           'targeting to evade detection.'},
 'recommendations': 'Victims should assume compromised credentials and enable '
                    'multi-factor authentication (MFA). Organizations should '
                    'monitor for abuse of cloud services, update outdated '
                    'software, and implement advanced phishing detection '
                    'mechanisms.',
 'references': [{'source': 'Investigation report'}],
 'title': 'Large-Scale Phishing Infrastructure Uncovered: 12,704 Servers '
          'Exploit Google Cloud and Scraped NYT Content',
 'type': 'Phishing',
 'vulnerability_exploited': 'End-of-life (EOL) software (Apache/2.4.52, '
                            'Apache/2.4.6 with OpenSSL/1.0.2k-fips, etc.)'}
Great! Next, complete checkout for full access to Rankiteo Blog.
Welcome back! You've successfully signed in.
You've successfully subscribed to Rankiteo Blog.
Success! Your account is fully activated, you now have access to all content.
Success! Your billing info has been updated.
Your billing was not updated.