CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Large-scale Phishing-as-a-Service (PhaaS) operation using expired domains on Google Cloud and Cloudflare

First reported
Last updated
2 unique sources, 2 articles

Summary

Hide ▲

A large-scale phishing-as-a-service (PhaaS) operation has been operating undetected for over three years on Google Cloud and Cloudflare platforms. The campaign involved 48,000 hosts and more than 80 clusters using expired domains to impersonate high-profile brands, including Fortune 500 companies. The operation delivered malware and gambling content, exposing victims to credential theft and data breaches. The phishing sites were discovered to be using cloaking techniques to manipulate search engine rankings and hide illicit content. The operation involved multiple impersonations of major brands and utilized both Google Cloud and Cloudflare infrastructure. The campaign was discovered by Deep Specter Research, who found that the operation had been active since at least 2022, with the core infrastructure continuing to evolve. Recently, a large-scale cloud storage subscription scam campaign has been targeting users worldwide with repeated emails falsely warning recipients that their photos, files, and accounts are about to be blocked or deleted due to an alleged payment failure. The campaign has escalated over the past few months, with people receiving multiple versions of the scam each day. The phishing emails originate from a wide range of domains, many of which appear to be randomly generated for the spam campaign. The emails use a wide variety of subject lines designed to scare recipients into opening them and contain links to Google Cloud Storage, where threat actors hosted static redirector HTML files that redirect visitors to scam/phishing sites.

Timeline

  1. 31.01.2026 18:21 1 articles · 23h ago

    Escalation of cloud storage subscription scam campaign

    A large-scale cloud storage subscription scam campaign has been targeting users worldwide with repeated emails falsely warning recipients that their photos, files, and accounts are about to be blocked or deleted due to an alleged payment failure. The campaign has escalated over the past few months, with people receiving multiple versions of the scam each day. The phishing emails originate from a wide range of domains, many of which appear to be randomly generated for the spam campaign. The emails use a wide variety of subject lines designed to scare recipients into opening them and contain links to Google Cloud Storage, where threat actors hosted static redirector HTML files that redirect visitors to scam/phishing sites. The phishing pages impersonate cloud service portals and prominently display cloud-themed branding, including the Google Cloud logo. The pages ultimately lead to checkout forms designed to collect credit card details and generate affiliate revenue for the threat actors.

    Show sources
    Open in new tab
  2. 04.09.2025 23:05 2 articles · 4mo ago

    Discovery of a large-scale phishing-as-a-service (PhaaS) operation using expired domains

    A large-scale phishing-as-a-service (PhaaS) operation has been operating undetected for over three years on Google Cloud and Cloudflare platforms. The campaign involved 48,000 hosts and more than 80 clusters using expired domains to impersonate high-profile brands, including Fortune 500 companies. The operation delivered malware and gambling content, exposing victims to credential theft and data breaches. The phishing sites were discovered to be using cloaking techniques to manipulate search engine rankings and hide illicit content. The operation involved multiple impersonations of major brands and utilized both Google Cloud and Cloudflare infrastructure. The campaign was discovered by Deep Specter Research, who found that the operation had been active since at least 2022, with the core infrastructure continuing to evolve.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

SIM-box operation dismantled, enabling global telecom fraud

European law enforcement dismantled a sophisticated cybercrime-as-a-service (CaaS) platform that operated a SIM farm, enabling over 49 million fake online accounts and facilitating over 3,200 fraud cases resulting in at least 4.5 million euros in losses. The service provided phone numbers for various telecommunication crimes, including phishing, investment fraud, impersonation, extortion, migrant smuggling, and the distribution of child sexual abuse material (CSAM). The operation, codenamed 'SIMCARTEL,' involved multiple countries and seized significant infrastructure and assets. The SIM-box service operated through two websites, gogetsms.com and apisim.com, which have been seized. The service rented out phone numbers registered in over 80 countries, enabling the creation of fraudulent online accounts. The operation resulted in the arrest of seven individuals, including five Latvian nationals, and the seizure of 1,200 SIM-box devices, 40,000 SIM cards, five servers, and luxury vehicles. Financial assets totaling EUR 431,000 and $333,000 in crypto were also frozen. The operation's main raids occurred during an action day in Latvia on October 10, where 26 searches were carried out and five Latvian nationals were arrested. Three suspects were subject to a non-custodial security measure and a court imposed a security measure on a man born in 1982. Latvian law enforcement shared footage of a raid on a workspace packed with computer hardware, specialized equipment and large quantities of SIM cards.

Open in new tab

Lighthouse and Lucid PhaaS Campaigns Target 316 Brands Across 74 Countries

The phishing-as-a-service (PhaaS) offerings Lighthouse and Lucid have been linked to over 17,500 phishing domains targeting 316 brands across 74 countries. The campaigns leverage various phishing kits and templates to impersonate brands and harvest credentials. The operations are attributed to the Chinese-speaking XinXin group and other associated actors. Google has filed a civil lawsuit against China-based hackers behind the Lighthouse PhaaS platform, which has ensnared over 1 million users across 120 countries and made over $1 billion over the past three years. The platform uses over 194,000 malicious domains and has compromised between 12.7 million and 115 million payment cards in the U.S. alone. The phishing kits offer template customization and real-time victim monitoring, with prices ranging from $88 for a week to $1,588 for a yearly subscription. The campaigns also highlight a broader trend of collaboration and innovation within the PhaaS ecosystem, with threat actors returning to email as a primary channel for harvesting stolen credentials. A growing cluster of fraudulent domains impersonating major Egyptian service providers, including Fawry, Egypt Post, and Careem, has been identified during a recent threat-hunting operation by Dark Atlas. The discovery points to an expanding campaign run by the Smishing Triad, a Chinese-speaking cybercrime group known for large-scale SMS phishing operations. New malicious domains were uncovered after analysts examined HTTP headers from the group’s infrastructure and used those indicators to run targeted searches on Shodan. The investigation highlighted the group’s reliance on Telegram to promote and sell its phishing-as-a-service offerings. A separate but related development involves Darcula, a large-scale PhaaS platform operating more than 20,000 spoofed domains across 100 countries. Netcraft reports that an upgraded version, Darcula 3.0, introduced anti-detection features, an enhanced admin panel, a card-cloning tool, and AI-driven automation that allows operators to build phishing pages with a single click. Both the Smishing Triad and emerging PhaaS services like Darcula demonstrate the increasing sophistication of global phishing operations.

Open in new tab

RaccoonO365 Phishing Network Disrupted by Microsoft and Cloudflare

The RaccoonO365 phishing network, a financially motivated threat group, was disrupted by Microsoft's Digital Crimes Unit (DCU) and Cloudflare. The operation, executed through a court order in the Southern District of New York, seized 338 domains used by the group since July 2024. The network targeted over 2,300 organizations in 94 countries, including at least 20 U.S. healthcare entities, and stole over 5,000 Microsoft 365 credentials. Authorities in Nigeria have arrested three individuals linked to the RaccoonO365 phishing-as-a-service (PhaaS) scheme, including Okitipi Samuel, also known as Moses Felix, identified as the principal suspect and developer of the phishing infrastructure. The Nigeria Police Force National Cybercrime Centre (NPF–NCCC) collaborated with Microsoft and the FBI in the investigation, seizing laptops, mobile devices, and other digital equipment linked to the operation. The stolen data was used to fuel more cybercrimes, including business email compromise, financial fraud, and ransomware attacks. The Nigerian police arrested three individuals linked to targeted Microsoft 365 cyberattacks via Raccoon0365 phishing platform. The attacks led to business email compromise, data breaches, and financial losses affecting organizations worldwide. The law enforcement operation was possible thanks to intelligence from Microsoft, shared with the Nigeria Police Force National Cybercrime Centre (NPF–NCCC) via the FBI. The authorities identified individuals who administered the phishing toolkit 'Raccoon0365,' which automated the creation of fake Microsoft login pages for credential theft. The service, which was responsible for at least 5,000 Microsoft 365 account compromises across 94 countries, was disrupted by Microsoft and Cloudflare last September. It is unclear if the disruption operation helped identify those behind Raccoon0365 in Nigeria. One of the arrested suspects is an individual named Okitipi Samuel, also known online as 'RaccoonO365' and 'Moses Felix,' whom the police believe is the developer of the phishing platform. Samuel operated a Telegram channel where he sold phishing kits to other cybercriminals in exchange for cryptocurrency, while he also hosted the phishing pages on Cloudflare using accounts registered with compromised credentials. The Telegram channel counted over 800 members around the time of the disruption, and the reported access fees ranged from $355/month to $999/3 months. Cloudflare estimates that the service is used primarily by Russia-based cybercriminals. Regarding the other two arrested individuals, the police stated they have no evidence linking them to the Raccoon0365 operation or creation. The person that Microsoft previously identified as the leader of the phishing service, Joshua Ogundipe, is not mentioned in the police’s announcement.

Open in new tab

SlopAds Fraud Ring Exploits 224 Android Apps for Ad Fraud

A sophisticated ad fraud operation, SlopAds, exploited 224 Android apps to generate 2.3 billion daily ad bids. The apps, downloaded 38 million times across 228 countries, used steganography and hidden WebViews to create fraudulent ad impressions and clicks. The fraud was conditional, activating only if the app was installed via an ad click. Google removed the offending apps from the Play Store and updated Google Play Protect to warn users. The operation leveraged AI-themed services and a complex command-and-control infrastructure. The fraudulent behavior was designed to evade detection by blending malicious traffic into legitimate campaign data. The SlopAds campaign was discovered by HUMAN's Satori Threat Intelligence team, which identified the apps as 'AI slop' due to their mass-produced appearance and AI-themed services. The apps used Firebase Remote Config to download an encrypted configuration file containing URLs for the ad fraud malware module, cashout servers, and a JavaScript payload. The campaign included numerous command-and-control servers and more than 300 related promotional domains, suggesting the threat actors planned further expansion.

Open in new tab

Increased Browser-Based Attacks Targeting Business Applications

Browser-based attacks targeting business applications have surged, exploiting modern work practices and decentralized internet apps. These attacks, including phishing, malicious OAuth integrations, and browser extensions, compromise business apps and data by targeting users. The attacks leverage various delivery channels and evasion techniques, making them difficult to detect and block. Phishing attacks have evolved to use non-email channels such as social media, instant messaging apps, and malicious search engine ads. These attacks often bypass traditional email security controls and are harder to detect. Attackers exploit the decentralized nature of modern work environments, targeting users across multiple apps and communication channels. Non-email phishing attacks can result in significant breaches, as seen in the 2023 Okta breach. The rise in these attacks highlights the need for enhanced browser security measures and better visibility into user activities within the browser.

Open in new tab