Phishing Empire Using Google & Cloudflare Services to Stay Hidden

Advisory ID: NCC-CSIRT-2025-013

Summary: 

Cybersecurity researchers have uncovered a large-scale phishing-as-a-service (PhaaS) infrastructure on Google Cloud and Cloudflare, which has been operational for years. This infrastructure utilizes fake websites that mimic real company login pages to steal passwords and bypass security codes. The attackers stay hidden by using expired domains and tricks that fool Google into seeing harmless content. 

Damage/Probability: High/Critical

Product(s): 

• Google Cloud Platform (GCP)
• Cloudflare Services
• Expired or Abandoned Domains

Version(s): 

• Google Cloud Platform (GCP): Not version-specific (cloud services, not software releases).
• Cloudflare Services: Not version-specific (service-level abuse).
• Expired or Abandoned Domains: Any domains previously registered but left to expire.

Platform(s): 

Google Cloud, Cloudflare, Re-registered / Expired Domains, and Open Redirect Services (e.g., Google Accelerated Mobile Pages (AMP), Software-as-a-Service (SaaS) platforms).

Description: 

According to the cybersecurity experts, the attackers create fake websites that look exactly like the real login pages of well-known companies (including big defence, finance, and tech firms). Their goal is to trick people into entering their usernames, passwords, and even security codes. Once stolen, this information can be used to hack accounts, steal money, spread malware, or commit fraud.

The group has built an “empire” of fake sites, with almost 50,000 fake hosts across many servers. To stay hidden, they use clever tricks:

• They buy expired websites that already have a good reputation in Google search.
• They make sure Google’s systems see a harmless version of the site, while real users see the fake login page.
• They even load some images or files directly from the real company’s website, so the fake page looks even more convincing.

Because of these tactics, the operation managed to run for years without being shut down.

Impacts: 

• Credential compromise & account takeover (ATO) including Multi-Factor-Authentication (MFA) bypass where Adversary-in-the-Middle (AiTM) kits are used.
• Brand/reputation damage and potential regulatory exposure where cloned sites load legitimate brand assets.
• Downstream malware delivery (e.g., RATs via Cloudflare-hosted chains in adjacent campaigns). .

Solutions: 

What Users Should Do:

• Do not rely on search results for logins. Always type the web address yourself (e.g., www.yourbank.com) or use bookmarks you created earlier.
• Look carefully at website addresses. Fake sites often use unusual spellings or extra words.
• Use stronger sign-in methods. Where possible, use security keys or passkeys (FIDO2/WebAuthn) instead of just passwords and codes. These are very hard for attackers to steal.
• Be alert for suspicious redirects. If a link takes you through multiple pages before reaching a login, it could be a trap.
• Report suspicious sites. If you see a fake site pretending to be your organization, report it immediately to IT/security teams.

  What Organizations Should Do:

• Protect your domains: Renew important website names on time so criminals can’t take them over.
• Monitor your brand: Regularly check if fake versions of your website exist and request takedowns quickly.
• Strengthen staff login security: Use multi-factor authentication, preferably phishing-resistant methods.
• Train employees: Remind staff to never log in through links in emails or search results.

References:

• https://www.darkreading.com/cloud-security/phishing-empire-undetected-google-cloudflare

• https://malwaretips.com/threads/phishing-empire-runs-undetected-on-google-cloudflare.137414/

• https://reporter.deepspecter.com/the-cloak-and-the-dagger-how-google-and-cloudflare-missed-a-global-phishing-empire-ed7176ebf82f

• https://gbhackers.com/google-cloud-and-cloudflare/

• https://cyberpress.org/stealth-phishing-campaign/