Undetected Phishing Campaign Lasted Over 3 Years on Google Cloud and Cloudflare

A sophisticated phishing operation has been running undetected for over three years, leveraging Google Cloud and Cloudflare infrastructure to impersonate major corporations, including the defence contractor Lockheed Martin. This campaign employed advanced cloaking techniques and compromised expired domains, highlighting significant failures in detection capabilities by two of the internet’s largest service providers. The attackers began by acquiring expired domains that previously belonged to legitimate organisations, subsequently deploying cloned websites of Fortune 500 companies. They specifically targeted high-value domains with established reputations and active social media communities, making the impersonations more convincing to unsuspecting users. A notable example involved the domain MilitaryFighterJet.com, which was originally dedicated to military aircraft but was transformed into a gambling site that simultaneously served as a perfect clone of Lockheed Martin’s corporate website.

The attackers utilised sophisticated cloaking technology that presented different content based on the visitor’s user agent and geographic location. When accessed by search engine crawlers or through Google search results, users encountered legitimate-looking clones of corporate websites. However, direct browser access revealed gambling content, creating a dual-purpose infrastructure that evaded automated detection systems while serving illicit content to real users. Deep Specter Research analysts identified this extensive operation through their investigation of the MilitaryFighterJet.com domain transformation. Their analysis revealed an infrastructure comprising over 48,000 active virtual hosts organised into 86 distinct clusters, primarily hosted on Google Cloud platforms in Hong Kong and Taiwan. Evidence of the operation dates back to 2021, with significant expansion periods coinciding with major cybersecurity incidents and data breaches worldwide. The campaign’s technical sophistication is evident in the use of HTTrack Website Copier, a legitimate web scraping tool, to create pixel-perfect replicas of target organisations’ websites. 

Categories: Phishing Operations, Cybersecurity Threats, Infrastructure Exploitation 

Tags: Phishing, Google Cloud, Cloudflare, Lockheed Martin, Cloaking Techniques, Expired Domains, Cloned Websites, Cybersecurity, Virtual Hosts, HTTrack Website Copier