Ongoing Phishing Campaign Abusing Google Cloud Storage to Redirect Users to Multiple Scam Pages

March 14, 2026 Anurag GawandeLeave a comment

A few days ago, I published a blog analyzing a phishing campaign abusing Google Cloud infrastructure:

Analysis of an Integrated Phishing Campaign Utilizing Google Cloud Infrastructure

While continuing to monitor the infrastructure used in that campaign, I discovered several additional URLs hosted on Google Cloud Storage (storage[.]googleapis[.]com) that appear to be part of the same ecosystem. These pages act as intermediate redirectors, sending victims to a wide variety of phishing and scam sites hosted primarily on the .autos TLD.

What is interesting is that a single Google Cloud Storage page appears to function as a central redirect hub, distributing victims across multiple scam themes such as fake surveys, reward scams, antivirus alerts, job offers, and account storage warnings.

Newly Observed Google Cloud Storage URLs

The following URLs were identified during the investigation:

storage[.]googleapis[.]com/whilewait/successcomes.html
storage[.]googleapis[.]com/sndrr/strow.html
storage[.]googleapis[.]com/noonchi/noon.html
storage[.]googleapis[.]com/sndrr/hmd.html
storage[.]googleapis[.]com/wetaobao/taobao.html
storage[.]googleapis[.]com/savelinge/goforward.html
storage[.]googleapis[.]com/lithesome/stepupnow.html

One particular page stood out during analysis:

This page appears to function as a traffic distribution page, redirecting visitors to multiple phishing sites depending on campaign configuration.

storage[.]googleapis[.]com/whilewait/successcomes.html

I also shared an earlier observation on X (Twitter):

18 more phishing emails in just two days.

🔗 Sample URLs:

storage[.]googleapis[.]com/whilewait/successcomes.html
storage[.]googleapis[.]com/sndrr/strow.html
storage[.]googleapis[.]com/noonchi/noon.html
storage[.]googleapis[.]com/sndrr/hmd.html… https://t.co/Wsh5ahUiTu pic.twitter.com/5TuRjWogxt
— Anurag (@Malwarehunterr) February 27, 2026

Traffic Redirection to .autos Phishing Domains

The redirector page was observed sending users to various phishing domains, most of which are hosted under the .autos top-level domain.

These phishing sites are themed around different scams designed to lure victims into providing personal or financial information.

Below are the different campaign themes identified.

Netflix Reward Phishing Pages

Some pages impersonate Netflix reward programs, claiming users have won prizes or special promotions.

Domains involved:

digital-shift-us-bin[.]autos
searchonboardloadingrock[.]autos
mailanalyticsvolseries[.]autos
verifieddreamseriesultimate[.]autos
goldavgpenb[.]autos
alt-dig-gold-tab[.]autos
bio-easy-pe-loading[.]autos
analytics-mail-post-quite[.]autos
favouritebiochoicelife[.]autos

Additional domains were also shared by an X user @skocherhan quoting my earlier post:

#phishing

golddreamflyrock[.]autos
yeahf2fprtctrl[.]autos
smartdreambio[.]autos
kolloadingshiftanalytics[.]autos
analyticsprt[.]autos
voldel[.]autos
onboardnatf2fdirect[.]autos
tipsonboardvolnbllc[.]autos
moviefiz[.]autos
d3b7b967ea[.]treadwear[.]autos
movies-4u[.]autos… https://t.co/LcgfefVofd
— ܛܔܔܔܛܔܛܔܛ (@skocherhan) March 12, 2026

Additional domains observed:

goldavgpenb[.]autos
alt-dig-gold-tab[.]autos
bio-easy-pe-loading[.]autos
analytics-mail-post-quite[.]autos
favouritebiochoicelife[.]autos

These pages typically present users with messages claiming they have been selected for a Netflix reward or promotional giveaway, encouraging them to complete a short survey to claim their prize.

Like the other scams in this campaign, the pages ultimately attempt to collect personal or payment information, often under the pretext of paying a small shipping fee or verifying eligibility.

Fake Dell Laptop Giveaway Survey

Another variation promotes a Dell laptop giveaway, typically claiming that users can win a Dell 16 DC16250 laptop worth $699.99.

Domains hosting these pages include:

avgeasyposttips[.]autos
searchonboardloadingrock[.]autos
alt-dig-gold-tab[.]autos
gold-avg-pe-nb[.]autos
tra4fficjumpchoiceclever[.]autos
digprtdreamavg[.]autos
shifttra4fficcapsmatch[.]autos
digitalshiftusbin[.]autos
spacevertabnb[.]autos
rot-digital-fly-f2f[.]autos

These pages typically:

Ask the victim to answer a few survey questions.
Display a congratulatory message.
Request credit card details to pay for shipping fees.

Fake “AI Data Assistant – Earn $500/day” Job Lure

Another theme used in this campaign promotes a fake online job opportunity, claiming users can earn $500 per day as an AI data assistant.

Observed domains:

verifieddreamseriesultimate[.]autos
pushbuttonsystem[.]net
lifeverifiedfavouritever[.]autos
mailanalyticsvolseries[.]autos
spacevertabnb[.]autos

These pages typically claim:

No experience required
High daily earnings
Work from home opportunities

Users are often redirected through several steps designed to collect personal information or push affiliate offers.

“Antivirus Subscription Expired” Phishing Pages

Another set of pages impersonates security alerts, claiming the user’s antivirus subscription has expired.

Domains observed:

safepremiumfreeriskfree[.]autos
nationalrecommendsafesmart[.]autos
deviceriskfreesafe[.]autos
freespeedpopular[.]autos
guardpopularinstalldevice[.]autos
speeddeviceboostfast[.]autos
programeffectivespeedfast[.]autos

These pages typically:

Display fake security warnings
Urge users to renew antivirus protection
Redirect victims to payment or affiliate pages.

“Cloud Storage Full” Phishing Pages

Another variation of this campaign uses cloud storage warnings, claiming the user’s storage account is full.

Observed domains:

stairs-table-fire.autos
tablewordstairs[.]autos
ceilwordinteriorbowl[.]autos
safe-premium-free-riskfree[.]autos
nationalprotectsmartfree[.]autos
guardpopularinstalldevice[.]autos
ceil-word-interior-bowl[.]autos
free-speed-popular-guard[.]autos
device-safe-clean-boost[.]autos
boost-premium-recommend-effective[.]autos
trk[.]independent-teacher-strength-nails[.]run

Additional domains were also shared by an X user quoting my earlier post:

#Phishing

accurate-cyber-proactive-defense[.]autos
accurate-guard-optimized-shield[.]autos
accurate-safe-reliable-defense[.]autos
accurate-safe-smart-defense[.]autos
accurate-smart-authorized-efficient[.]autos
accurate-smart-safe-advanced[.]autos… https://t.co/qIXObR7gLy
— ܛܔܔܔܛܔܛܔܛ (@skocherhan) March 12, 2026

These pages often mimic services such as:

Google Drive
iCloud

The goal is to scare victims into clicking through fake upgrade or security alerts.

Fake Walmart Survey Scam

Several phishing domains impersonate Walmart survey reward campaigns, often promising a free gift or prize in exchange for completing a short survey.

Domains observed:

jumpdiganalyticsprt[.]autos
avgeasyposttips[.]autos
cleververifieddigitalmatch[.]autos
altbio[.]autos
alt-dig-gold-tab[.]autos
matchstarsrotchoice[.]autos
directvolcapsus[.]autos
digprtdreamavg[.]autos

These pages typically display messages such as:

“Congratulations! You have been selected to receive a reward”
“Complete a short Walmart survey to claim your prize”

After the survey is completed, victims are usually asked to pay a small shipping fee, where credit card information is harvested.

Key Observation

One of the most notable aspects of this campaign is the central role of the Google Cloud Storage page:

storage[.]googleapis[.]com/whilewait/successcomes.html

During testing, this page was observed redirecting users to multiple phishing domains across different scam themes.

This suggests it is functioning as a traffic distribution or redirect infrastructure, allowing attackers to rotate phishing destinations while keeping the initial delivery URL stable.

Using Google Cloud Storage also adds a layer of trust, as the domain belongs to a legitimate cloud provider.

Another interesting observation is that a single .autos domain can serve multiple phishing page themes after redirection from the Google Cloud Storage page. Depending on the redirection path or parameters, the same domain may host different scams such as:

Fake surveys
Reward scams
Storage full alerts
Antivirus subscription warnings
Job offer lures

This behavior indicates that the attackers are likely using a shared phishing kit or centralized backend infrastructure, allowing them to quickly rotate scam themes while reusing the same domains.

Another observation is the high volume of phishing emails currently being distributed using this infrastructure. Over the past few days, I have been receiving around 40–50 phishing emails within a 24-hour period, many of which contain links to Google Cloud Storage pages that act as redirectors to the phishing ecosystem described in this report.

URLs repeatedly observed in these emails include:

storage[.]googleapis[.]com/whilewait/successcomes.html
storage[.]googleapis[.]com/savelinge/goforward.html

Indicators of Compromise (IOCs)

Google Cloud URLs

storage[.]googleapis[.]com/whilewait/successcomes.html
storage[.]googleapis[.]com/sndrr/strow.html
storage[.]googleapis[.]com/noonchi/noon.html
storage[.]googleapis[.]com/sndrr/hmd.html
storage[.]googleapis[.]com/wetaobao/taobao.html
storage[.]googleapis[.]com/savelinge/goforward.html
storage[.]googleapis[.]com/lithesome/stepupnow.html

Phishing Domains

digital-shift-us-bin[.]autos
searchonboardloadingrock[.]autos
mailanalyticsvolseries[.]autos
verifieddreamseriesultimate[.]autos
goldavgpenb[.]autos
alt-dig-gold-tab[.]autos
bio-easy-pe-loading[.]autos
analytics-mail-post-quite[.]autos
favouritebiochoicelife[.]autos
goldavgpenb[.]autos
alt-dig-gold-tab[.]autos
bio-easy-pe-loading[.]autos
analytics-mail-post-quite[.]autos
favouritebiochoicelife[.]autos
avgeasyposttips[.]autos
searchonboardloadingrock[.]autos
alt-dig-gold-tab[.]autos
gold-avg-pe-nb[.]autos
tra4fficjumpchoiceclever[.]autos
digprtdreamavg[.]autos
shifttra4fficcapsmatch[.]autos
digitalshiftusbin[.]autos
spacevertabnb[.]autos
rot-digital-fly-f2f[.]autos
verifieddreamseriesultimate[.]autos
pushbuttonsystem[.]net
lifeverifiedfavouritever[.]autos
mailanalyticsvolseries[.]autos
spacevertabnb[.]autos
safepremiumfreeriskfree[.]autos
nationalrecommendsafesmart[.]autos
deviceriskfreesafe[.]autos
freespeedpopular[.]autos
guardpopularinstalldevice[.]autos
speeddeviceboostfast[.]autos
programeffectivespeedfast[.]autos
stairs-table-fire.autos
tablewordstairs[.]autos
ceilwordinteriorbowl[.]autos
safe-premium-free-riskfree[.]autos
nationalprotectsmartfree[.]autos
guardpopularinstalldevice[.]autos
ceil-word-interior-bowl[.]autos
free-speed-popular-guard[.]autos
device-safe-clean-boost[.]autos
boost-premium-recommend-effective[.]autos
trk[.]independent-teacher-strength-nails[.]run
jumpdiganalyticsprt[.]autos
avgeasyposttips[.]autos
cleververifieddigitalmatch[.]autos
altbio[.]autos
alt-dig-gold-tab[.]autos
matchstarsrotchoice[.]autos
directvolcapsus[.]autos
digprtdreamavg[.]autos

This campaign demonstrates how attackers continue to abuse trusted cloud infrastructure such as Google Cloud Storage to host redirectors that distribute victims to multiple phishing pages.

By using legitimate cloud services as part of the attack chain, threat actors can increase credibility and reduce the likelihood of immediate blocking.

The use of large numbers of disposable .autos domains further allows attackers to rotate phishing pages frequently while keeping the delivery infrastructure intact.

In addition, the system appears to restrict repeated access attempts from the same IP address. After a user successfully reaches a phishing page through the redirector, subsequent attempts to access similar URLs from the same IP may result in the page failing to load or redirecting to unrelated sites. This behavior suggests the presence of IP-based filtering or traffic distribution logic, commonly used in malicious traffic distribution systems (TDS) to control how often a visitor can access the phishing infrastructure.

Fake “Fast Ray VPN” Site on Cloudflare Pages Leading to PUA Downloads

January 11, 2026 Anurag GawandeLeave a comment

While reviewing historical scans on URLScan, I came across a VPN-themed website hosted on Cloudflare Pages

hxxps://fast-ray-vpn.pages.dev/

At first glance, the site looks like a harmless VPN review blog. It features clean formatting, long-form written content, fake ratings, and well-structured download sections. Nothing immediately stands out as malicious, which is likely why the site has remained accessible for months.

What makes this case notable is that URLScan shows this domain has been publicly reachable for at least eight months, with multiple scans recorded over time. This is not a short lived phishing page or a throwaway redirect, it appears to be stable infrastructure.

A Convincing VPN Review That Builds False Trust

The landing page presents itself as a review article titled “Fast Ray VPN Review: Secure & Fast Mobile VPN?”. It includes a star rating of 4.8, all designed to look credible.

Download Links That Don’t Deliver a VPN

Near the bottom of the page, two links are presented as:

“Download via Link 1”
“Download via Link 2”

Clicking either of these does not lead to an app store, an official vendor site, or even a branded installer page. Instead, users are redirected to a third-party domain:

hxxps://normallydemandedalter[.]com

The URLs include long query strings with tracking keys, strongly suggesting affiliate or traffic broker infrastructure rather than software hosting.

In many cases, the redirect lands on a generic page stating

“Your File Download Is Ready!”

There is no mention of a VPN, no vendor name, no file hash, and no explanation of what is about to be downloaded.

As shown in the above screenshot, one such redirect path leads to insecthoney[.]xyz, where clicking the download button results in OperaSetup.exe being delivered. While Opera itself is legitimate software, the context is deceptive. Users are led to believe they are downloading a VPN client, but instead receive an unrelated browser installer distributed.

This OperaSetup.exe is getting delivered through below domains:

insecthoney[.]xyz
valueeye[.]xyz

Pixelsee PUA Delivered Through One Redirect Path

During sandbox testing, both redirect paths associated with the two download links were observed delivering a PUA payload, including the Pixelsee sample previously referenced. However, the behavior was not consistent. The same URLs did not always result in a file download and, in several cases, redirected to unrelated advertising or affiliate destinations instead. This indicates that payload delivery is randomized or condition-based, likely controlled by backend traffic distribution logic rather than being tied to a single fixed URL.

1. hxxps://normallydemandedalter.com/y4gw4zmhi3?key=14baee5d6a64addb406346147543b508

2. hxxps://normallydemandedalter.com/bhb7puzj?key=13033e82c537ba388cf82fed63dcfc88

That file is already flagged on VirusTotal and detected as Pixelsee PUA. The Pixelsee site itself again presents a clean, minimal download page with a prominent “Download” button and almost no transparency about the software’s purpose.

File Hash: 3856355ad00016cf21e0492fc5db2fd6
File Name: PixelSee_id1604692id.exe
File Size: 4.35MB
File Type: PE32

Inconsistent Outcomes and Traffic Monetization

Revisiting the same download URLs does not consistently result in the same behavior.

In multiple attempts, instead of receiving a file, the browser was redirected to completely unrelated destinations, including:

TikTok video pages
XM trading platform landing pages
Ad-related sites such as adzilla/.meme
Adult-themed click-through domains like best-girls-around/.com

This inconsistency strongly indicates the use of a traffic distribution system (TDS). Depending on conditions such as IP reputation.

VPN and Sandbox Detection Blocking Visibility

When accessing normallydemandedalter[.]com through a VPN or sandbox environment, the site responds with a simple message

“Anonymous Proxy detected.”

Once this message appears, no further redirects or downloads occur. This behavior effectively blocks

VPN users
Cloud-based sandboxes
Automated analysis systems

This explains why the site can remain live for months while still evading deeper inspection. The actual payload delivery only happens when the visitor appears to be a “real” user.

Visibility in Google Search Results

An additional point worth highlighting is that the Fast Ray VPN site is not buried or obscure. A simple Google search for “fast ray vpn” currently surfaces the Cloudflare Pages site within the top search results, appearing alongside legitimate Google Play and Apple App Store listings. This positioning significantly increases the likelihood of real users landing on the page organically, especially those searching for a VPN by name and expecting an official or review-based result. Combined with the site’s long uptime and clean presentation, this search visibility further amplifies its effectiveness as a traffic funnel.

Indicators of Compromise (IOCs)

The following indicators were observed during hands-on analysis and sandbox testing. They are linked to a deceptive VPN-themed page that redirects users through third-party infrastructure and, in some cases, delivers potentially unwanted applications. The redirects do not behave consistently. Sometimes a file is downloaded, other times users are sent to unrelated advertising or affiliate pages. This kind of behavior suggests traffic is being routed and monetized dynamically rather than through a single, fixed download path.

Domains

fast-ray-vpn.pages.dev
normallydemandedalter.com
insecthoney.xyz
valueeye.xyz
pixel-see.com
adzilla.meme
best-girls-around.com
xm.com

URL’s

hxxps://fast-ray-vpn.pages.dev/
hxxps://normallydemandedalter[.]com/y4gw4zmhi3?key=14baee5d6a64addb406346147543b508
hxxps://normallydemandedalter[.]com/bhb7puzj?key=13033e82c537ba388cf82fed63dcfc88
hxxps://insecthoney.xyz/?affId=2266&o=519&title…
hxxps://valueeye[.]xyz/?affId=2266&o=473&title=SETUPFILE&t=download_s1…..

File Hashes (PUA)

MD5: 3856355ad00016cf21e0492fc5db2fd6

The Fast Ray VPN site is not a legitimate VPN service and not a genuine review platform. It functions as a persistent traffic lure, redirecting users into affiliate and PUA distribution chains while actively blocking VPNs and sandboxes.

Its long lifespan suggests an effective design that prioritizes persistence and user reach while avoiding signals that typically lead to rapid takedown.

Analysis of a Fake Cloudflare Turnstile Used as a Traffic Filtering Gate

January 7, 2026 Anurag GawandeLeave a comment

Overview

During analysis of a phishing URL chain, I observed a fake Cloudflare Turnstile verification page acting as an intelligent traffic filtering gate. Rather than protecting a website, this page selectively blocks, redirects, or allows access based on geolocation, proxy usage, and browser fingerprinting.

This phishing infrastructure demonstrates Traffic Distribution System like behavior commonly used in modern phishing and scam operations to evade security researchers, sandboxes, and automated crawlers while delivering payloads only to high-confidence victims.

Redirection Chain

The Cloudflare page is not legitimate and does not load any official Turnstile JavaScript. Instead, it is a static imitation combined with heavy client side fingerprinting.

Fake Cloudflare Verification Page

The landing page is designed to closely mimic a legitimate Cloudflare interstitial, creating a false sense of trust for the victim. It displays the French language title “Un instant…“, along with Cloudflare style branding and logos to appear authentic. A fake human verification checkbox labeled “Vérifiez que vous êtes humain” is presented, imitating Cloudflare’s Turnstile challenge, despite performing no real validation. The page also shows a fabricated Ray ID, a detail commonly associated with genuine Cloudflare error or verification pages. To further reinforce legitimacy, the attackers include links pointing to real Cloudflare policy and documentation pages, a tactic intended to reduce suspicion and bypass casual scrutiny by users and automated scanners alike.

However, no real Turnstile challenge exists. All logic is client side JavaScript + server side decision APIs, not Cloudflare infrastructure.

Browser Fingerprinting & Bot Detection

Once the page loads, the script silently collects a detailed browser fingerprint, including:

navigator.userAgent
navigator.webdriver (Selenium / automation detection)
Headless browser indicators
Plugin count and language settings
WebGL vendor and renderer (VM / sandbox detection)
LocalStorage and SessionStorage availability
Timezone information
Honeypot fields (website, email-confirm) to detect autofill bots

All of this data is packaged and exfiltrated to backend endpoints such as:

/_internal/base/validation/collect_info.php
/_internal/api/dashboard.php

Geo Blocking and Proxy Detection

Using Fiddler with different exit locations, the server’s decision engine responses were captured. These responses clearly show country based blocking and proxy detection logic.

This confirms explicit detection of hosting providers, VPNs, and proxy infrastructure, even when traffic originates from France.

Decoy Redirect Behavior

If a visitor is classified as blocked or suspicious, the page redirects to:

hxxps://www.mediapart.fr

This serves multiple purposes:

Makes the site appear benign during casual inspection
Misleads analysts and automated scanners
Prevents security tools from accessing the real phishing content

Only approved traffic (likely residential French IPs, real browsers) proceeds to the malicious landing page.

Why France?

Several indicators strongly suggest that this phishing infrastructure is specifically oriented toward French users. The landing page content and interface are fully localized in French (fr_FR), indicating deliberate language targeting rather than generic reuse. Access behavior appears to follow a country based allow list model, where visitors from non-French regions are blocked or redirected. When access conditions are not met, the site redirects to a well-known French news outlet as a decoy, helping the infrastructure appear benign during casual checks. Additionally, all CAPTCHA elements and user interface text are presented entirely in French, reinforcing the assessment that this setup is designed to blend seamlessly into a French browsing context and evade suspicion among local users.

Infrastructure Observations

Both domains involved in the redirect chain were newly registered on 2026-01-06.

Detection And Hunting Notes

Defenders should look for:

Fake Cloudflare Turnstile pages without official Cloudflare JS
Hidden honeypot form fields
/collect_info.php or /dashboard.php?action=visit patterns
Conditional redirects to legitimate news sites
Different behavior between residential vs proxy IPs

Confirmed malicious phishing traffic distribution system.

This is not a Cloudflare protection page.
It is a selective traffic gate designed to evade analysis and deliver phishing content only to real victims.

Source

Large-Scale Parasite SEO Campaign Using Amazon Style Pages on Cloudflare Pages

January 5, 2026 Anurag GawandeLeave a comment

Overview

This blog documents a large-scale parasite SEO (search engine poisoning) campaign identified across dozens of domains hosted on Cloudflare Pages.

The campaign relies on a reused malicious HTML template that impersonates Amazon style product pages, injects gambling related SEO spam, and abuses canonical, Open Graph, and structured data fields to hijack the reputation of unrelated legitimate websites.

Analysis using urlscan hash searches confirms that the same page template is deployed at scale, with only the embedded “legitimate” URL changing between deployments. This behavior indicates an automated SEO spam operation, not isolated compromise.

Notably, the template also embeds a legitimate Amazon sign-in URL, further reinforcing the illusion of authenticity and increasing the phishing risk surface.

No direct credential harvesting or malware delivery was observed. Nevertheless, the activity is malicious by intent, designed to manipulate search rankings and mislead both users and search engines.

Campaign Overview

The campaign combines multiple well-known SEO abuse techniques:

Fake Amazon product page URL structures
Free static hosting infrastructure (primarily Cloudflare Pages)
Gambling keyword injection (e.g., slot gacor, JUDOLBET88)
Canonical and Open Graph metadata pointing to unrelated trusted websites
Hidden backlink farms to inflate SEO signals
Embedded legitimate links to trusted services (Amazon sign-in)

Amazon Product Page Impersonation

A representative example observed in this campaign:

/dp/B08ZJVVMT4?ref=MarsFS_eero_en

Key indicators:

/dp/<ASIN> is specific to Amazon product URLs
ref= parameters mimic Amazon referral tracking
No legitimate product details, pricing, or checkout functionality exists

These URLs are crafted solely to exploit search engine familiarity and trust, not to serve users.

Embedded Amazon Sign-In Link (Risk Amplifier)

One critical finding in the analyzed html(landing page) template is the presence of a real Amazon sign-in URL:

hxxps://www.amazon.com.au/ap/signin?openid.return_to\u003dhttps%3A%2F%2Fwww.amazon.com.au%2FAmazon-dual-band-Wi-Fi-router-Charcoal%2Fproduct-reviews%2FB0DG4WZZPV%3Fie%3DUTF8\u0026openid.identity\u003dhttp%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0%2Fidentifier_select\u0026openid.assoc_handle\u003dauflex\u0026openid.mode\u003dcheckid_setup\u0026marketPlaceId\u003dA39IBJ37TRP1C6\u0026language\u003den\u0026openid.claimed_id\u003dhttp%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0%2Fidentifier_select\u0026openid.ns\u003dhttp%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0

Although the link itself points to a legitimate Amazon domain, its inclusion serves several malicious purposes:

Trust reinforcement – Users who notice an Amazon login link may assume the page itself is legitimate.
Phishing pre-conditioning – The page trains users to expect Amazon authentication, lowering suspicion if future variants introduce credential-harvesting overlays or fake login forms.
Search engine deception – Legitimate outbound links to trusted brands can reduce automated suspicion and increase perceived legitimacy.

Infrastructure Abuse: Cloudflare Pages

A significant portion of the identified pages are hosted on pages.dev, indicating widespread abuse of Cloudflare Pages.

Why attackers favor this platform:

Attackers increasingly favor this platform because it offers free and frictionless deployment, allowing malicious infrastructure to be spun up with minimal effort or cost. The ability to rapidly propagate and clone sites enables large-scale campaigns using identical templates across numerous URLs. Built-in HTTPS support lends a false sense of legitimacy to victims while reducing setup overhead for attackers. Finally, takedown at scale is challenging without direct provider intervention, making the infrastructure resilient and attractive for sustained phishing and social-engineering operations.

The presence of identical HTML hashes across multiple pages.dev sites strongly suggests automated mass deployment.

Reputation Hijacking via Metadata Manipulation

One of the most critical behaviors in this campaign is the deliberate misuse of trusted third-party websites via metadata fields:

canonical
og:url
Structured data (Organization url)

In each deployment, these fields are set to different legitimate, unrelated websites, including:

Government portals
Educational institutions
Corporate websites
NGOs and public services

Why this technique is effective

Search engines treat canonical and structured data fields as strong trust signals. By embedding legitimate URLs, attackers attempt to:

Launder authority into spam pages
Artificially boost ranking
Associate gambling content with reputable entities
Pollute search results tied to trusted sites

The rotation of abused legitimate URLs across deployments confirms this is intentional and systematic, not accidental misconfiguration.

Template Reuse at Scale (urlscan Evidence)

Using urlscan hash-based searching, numerous sites were identified that share the same HTML fingerprint, indicating widespread reuse of a single template. These pages exhibit an identical DOM structure, contain the same hidden link blocks, and reuse identical SEO spam content across deployments. The only meaningful difference between each instance is the abused “legitimate” URL embedded into the template, highlighting automated cloning and large-scale propagation of the campaign.

This strongly confirms the presence of centralized template generation, with a single source producing identical page structures across multiple deployments. The consistent reuse further indicates automated deployment mechanisms, enabling rapid and large-scale rollout of these pages. Together, these patterns point to clear campaign level coordination, rather than isolated or opportunistic activity.

Such behavior is typical of industrial SEO poisoning operations.

Hidden Link Farm Injection

Each page contains a hidden HTML section (display:none) populated with:

Dozens of gambling-related anchor texts
Links pointing to the selected legitimate website for that deployment

Hidden link farms are a strong indicator of malicious SEO activity, designed to manipulate backlink metrics without user visibility.

Hidden Gambling Keyword

SLOT888, NAGATOTO, ANGKANET, ANGKABET, LADANGTOTO, BRI4D, SULE4D, WD YUK, OVOGG, GASING77, BROMO777, AGEN88, HQTOTO805, INFINI88, LAWU88, KENZO88, RAPI88, BETON88, KUDA4D, RAJA4D, LOTUS88, GIGA88, SULE88, TAMBANG88, MINION88, DEWA99, DEWA333, DEWATOTO, RAJA PAITO, RAJAJUDI, RAJAJP, RAJADEWA55, PADUKARAJA, WEBINI33, HYPE168, BOLA88, DEVIL666, 91DEWA, RAJA111, ROG777, TOTO77, TOP1TOTO, IBC4D, KIPASWIN, VANTASLOT, MANGJP, SAVEFROM IG, YANDEX EU, DAUN77, RAJAKOI, BIMABET, IDCASH, REDMITOTO, MEGA228, MEGAWIN228, INDOLOTTERY88, AMERIKATOTO, AMERIKA TOTO, BOLA GACOR, DADU ONLINE, DEWA666, WDBOS, SURYA123, RAYA123, JARWO123, MANCINGDUIT, MANCING DUIT, PANGKALANTOTO, NAGASAON, KAOS TOGEL, WOLES TOGEL, VESPA TOGEL, PINTU TOGEL, NADIMTOGEL, OMUTOGEL, DAYAK77, ALEXISTOGEL77, SASARANJITU, EUROTOGEL, JEBOLTOGEL, GENGTOTO, FENDI188, BIGWIN, MEGAWIN, MAHAZEUS, HARTA500, RTP JOSTOTO, ARYA88, NANASTOTO, DEPOBOS, JEJUSLOT, TARIKWDKU88, IDN SLOT, IDN POKER, SLOT88, SLOT88 RESMI, SLOT ONLINE, SLOT GACOR, SLOT THAILAND, SITUS TOGEL, TOTO TOGEL, TOTO SLOT, TOTO 4D, TOGEL ONLINE, TOGEL 4D, LUNA TOGEL, SITUS RAFFI AHMAD, SITUS TOTO 4D, SITUS TOGEL 4D, SITUS TOTO TOGEL, SITUS TOGEL TERBESAR, SITUS TOGEL RESMI, SITUS TOGEL TERPERCAYA, SLOT DEPO 10k, SLOT DEPO 10000, DEPO 10 BONUS 10, DEPO 20 BONUS 20, PADI777, SGP777, MPO100, MPO222, MPO007, MPOCASH, MPONUSA, MPO888, MPO77, MPOGACOR, LOS303, POS4D, OLLO4D, GAJAH77, DOLAR168, STARBET77, PANDAWA138, ZET77, KINGBET88, PERI909, ALADIN88, LIGA303, SITOOLS88, MPOJUTA, HAKIM77, SPBO, JET777, MINO4D, KOKO333, BATMAN123, MAXPRO88, MAMI188 LOGIN, TANAH4D, BAGONG88, IMPIAN888, SLOTONLINE, TEKTOK4D, MPO69, SLOTRESMI, PARTNER4D, MANJA88, PASUKAN99, TOOLS367, DAYANG4D, DEWABET138, HORMAT88, BUMI33, ROYALBET, ROYAL51, PAIRBET, WALET789, SULTAN99, MENARA88, SUBUR89, JOKER555, ZONA138, SARANATOGEL, SLOTGOPAY, 888WIN, SLOTQQ, SUPERSPIN555, QQZEUS, SOLO4D, 4DTOGEL, 88ASIA, SUPERWD, OLO4D, 4DASIA, QQ88, PINTU4D, QQ888, BETTOGEL, CAPIT4D, BOLASIAR, BADAI4D, ASIA118, MBO777, BIG365, ASOKA88, JURAGAN69, SUHU189, SUHU69, SUHUTOTO, KLIKSLOT, OLX888, PREMANSLOT, SAKTI123, RATUMACAU, KANTORBOLA, MT777, JP777, MPO99, ASIA4D, DEWA4D, STAR777, MPO4D, 75WBET, 56KBET, 55KBET, 55BET, 33BET, 777LIVE, 777BET, PC777, INA777, GM777, DEWAGACOR, HOKI88, HOKI188, PAY4D, ASIABET88, SKY777, JP88, 188BET, GACOR4D, SLOT303, SLOT77, DEWI78, UNYIL4D, JOSTOTO, ASIASLOT, SLOT99, BOS4D, AGEN188, AHA4D, STARSLOT, CUANSLOT, SITUS4D, PASARBARIS, WIN888, WIN777, BET77, BET88, IDNSLOT, 999BET, TOPSLOT, JUARASLOT, AGEN168, SLOT121, RAJA777, 77SLOT, PGSOFT, 88SLOT, ADA777, NEKO77, DRAGON77, INDOWIN, HOKI303, GACOR303, BET188, SLOTCUAN, AGENSLOT, RTPSLOT, VIRAL4D, JP4D, 100TOGEL, GBO138, DOSENTOTO, PARITOTO, JUDOLBET, GACOR888, HAHA303, KOKO288, AIRBET, ASIA303, TOKOWIN99, VIOBET, PRAGMATIC77, VIRAL99, GENG88, GOKIL303, GRAND77, SENIOR4D, XXTOTO, MILD88, DEWAASIA, BOSS88, INDOMASTER88, WADAH4D, CUAN368, BOLAPELANGI, FAIRTOTO, BINTANGMPO, AKARSLOT, SBOTOP, PITASLOT, KAISAR88, JAZZ188, ASIAPLAY, KAPTEN33, CRAZYRICH88, MESSIPOKER, SALDO4D, SURAT4D, REDWIN69, HOMEBET88, PG TOTO, DANA TOTO, MPO SLOT, NEXUS SLOT, SLOT TOGEL, SLOT MAXWIN, SLOT 777, gacor303, slot303, SLOT DEPO 10K, SLOT HOKI, HOKI SLOT, SLOT GACOR 5000, TOGEL HK, JUDOLBET88, SLOT BRI, SLOT BCA, PRAGMATIC PLAY, JAYASLOT, LINK GACOR, HONDA4D, SARANGSBOBET, ALEXIS4D, LEVIS4D, PULAU88, GGPLAY88, INI SLOT 88, PLAYKING88, JAM GACOR DAN POLA OLYMPUS, JAM GACOR MAXWIN, JAM GACOR SLOT MAHJONG WAYS 1, JAM GACOR SUGAR MAXWIN, JAM JACKPOT SLOT, OLX123, IWANTOTO, SLOT88JP, GACOR88, RATUBET, RAJABET, JUDI4D, BANDARTOTO, SLOTASIAN, DANAGACOR, TOTO888, TOTO303, TOTO777, JUARABET, ASUAGACOR, 4DTOTO, DANA888, PGSLOT, JUDI2D, AGEN2D, EMAS4D, RACUNSLOT, MASTER77, GACOR168, SLOTASIA88, JUDITOTO, FAFABET, GACOR999, BET89, SLOT22

The presence of hundreds of gambling keywords hidden from users but visible to crawlers is one of the strongest static indicators of malicious SEO activity, even in the absence of malware or credential harvesting code.

Indicators of Compromise (IOCs)

Domains

*.pages.dev

Behavioral Patterns

/dp/B0
pages.dev/dp/
Canonical: unrelated trusted domain
Embedded legitimate sign-in URL

This campaign represents a coordinated parasite SEO operation that combines brand impersonation, reputation hijacking, and infrastructure abuse.
While no direct credential theft was observed, the inclusion of a legitimate Amazon sign-in link significantly increases the phishing risk potential, indicating a design that is deceptive by intent and easily extensible into active scams.

Fake WordPress Domain Renewal Phishing Email Stealing Credit Card And 3-D Secure OTP

December 31, 2025December 31, 2025 Anurag Gawande5 Comments

Overview

I investigated a phishing email impersonating WordPress.com that claims a domain renewal is due soon and urges immediate action to prevent service disruption. The campaign leads victims to a fake WordPress payment portal hosted on attacker infrastructure and performs theft of credit card details and 3-D Secure OTPs, which are exfiltrated to the attacker via Telegram.

Phishing Email Analysis

Subject: Renewal due soon – Action required

Key red flags in the email:

A critical red flag in this email is the absence of any specific domain name, which is highly unusual for a legitimate renewal notice. The message relies heavily on urgency-based language such as “Action required” to pressure the recipient into acting quickly, while using a generic greeting instead of addressing the actual account holder or domain. The call-to-action button redirects users away from genuine WordPress infrastructure to an external site, further indicating malicious intent. Despite these warning signs, the email maintains a polished and professional tone, a tactic commonly used by phishing campaigns to evade spam filters and appear credible to unsuspecting users.

The email attempts to create panic by suggesting website and email disruption, pushing users to act without verification.

Phishing Landing Page & UI Impersonation

Victims are redirected to:

hxxps://soyfix[.]com/log/log/

The phishing page is carefully designed to visually mimic a legitimate WordPress checkout flow, creating a false sense of trust for the victim. It displays familiar elements such as a “Secure order validation” banner and a seemingly valid domain registration for one year. The pricing breakdown appears realistic and professional, listing a subtotal of 13 US$, VAT at 21% amounting to 2.73 US$, and a final total of 15.73 US$. This level of detail is intentionally used to make the transaction appear authentic and to persuade users to proceed with entering their payment information.

Notably missing: the actual domain name being “renewed”.

Credit Card Harvesting Logic

Upon clicking Pay Now, the JavaScript collects:

Cardholder Name
Card Number
Expiry Date
CVV

The data is sent via a POST request to:

send_payment.php

Despite the generic filename, console messages and code comments explicitly state the data is forwarded to Telegram, indicating the attacker is using a Telegram bot/channel as a Command & Control (C2) exfiltration mechanism.

This confirms immediate card data theft at the moment of submission.

Fake 3-D Secure Verification & OTP Theft

After card submission, the site displays a convincing fake 3-D Secure modal showing:

Merchant: WordPress Inc
Transaction reference
Date/time
Amount: 15.73 $

The victim is prompted to enter an SMS OTP, which is then:

Validated only for length (6 digits)
Sent to:

send_sms.php

Exfiltrated to Telegram, as indicated in code comments and console logs

The page always returns “Verification failed”, forcing victims to re-enter OTPs, allowing attackers to harvest multiple valid codes.

Deception & Trust-Building Techniques

The script deliberately simulates legitimate banking behavior:

7 second loading screen after payment

4 second “verification processing” delay

Branded VISA / MasterCard / AMEX logos
Repeated OTP retry loop

These delays are psychological trust mechanisms, making the attack appear authentic and reducing user suspicion.

Telegram as Exfiltration Channel

This campaign deliberately avoids traditional command-and-control (C2) infrastructure by abusing lightweight PHP endpoints as relay points and forwarding stolen data directly to Telegram bots or channels. Through this mechanism, attackers can receive highly sensitive information including credit card details, one-time passwords (OTPs), and potentially additional victim metadata such as IP addresses and user-agent strings. Telegram based exfiltration has become increasingly popular among threat actors because it is easy to set up, uses encrypted transport by default, incurs minimal infrastructure costs, and is significantly harder to disrupt or take down compared to conventional hosted C2 panels.

Email Header Analysis

Display name impersonates WordPress
Actual sender domain: theyounginevitables[.]com
No affiliation with WordPress / Automattic

This is brand impersonation via display name spoofing.

Originating IP

217.160.125.42

Relayed via

smtp.aliyun-inc.com
out25-220.sg.a.dm.aliyun.com (8.219.25.220)

Observations

Infrastructure hosted on Alibaba Cloud (Aliyun)
Commonly abused for:
- Bulk phishing
- Scam campaigns
- Low-cost SMTP relays

Authentication Results

spf=pass

dkim=pass
d=theyounginevitables.com
s=aliyun-ap-southeast-1

dmarc=pass (p=NONE)

Sending IP 8.219.25.220 is authorized for theyounginevitables[.]com.

The domain’s DMARC policy is configured with p=NONE, which means there is no enforcement in place to protect against email spoofing. As a result, messages that fail DMARC checks are neither quarantined nor rejected, allowing unauthenticated or spoofed emails to be delivered to recipients without restriction. This weak configuration significantly increases the risk of phishing and impersonation attacks abusing the domain’s identity.

Message-ID

<8000000182331289985.auto.1765042452@theyounginevitables.com>

This indicates that the email was auto-generated rather than manually composed. Such structured, numeric heavy Message-ID formats are commonly associated with bulk SMTP frameworks and automated mailing tools, making this a typical characteristic of large scale phishing or spam campaigns rather than legitimate, individually sent communications.

Feedback-ID

vip_edm_SmtpTrigger

The presence of vip_edm_SmtpTrigger strongly suggests that the email was sent through a mass mailing or EDM (Electronic Direct Mail) system rather than a legitimate transactional email platform. This indicator is commonly associated with bulk marketing or automated email distribution frameworks and is inconsistent with genuine billing or renewal infrastructure, further reinforcing that the message is part of a large scale phishing or spam operation.

Indicators of Compromise (IOCs)

Domain

soyfix[.]com

Exfiltration Endpoints

/send_payment.php
/send_sms.php

Techniques

Brand impersonation (WordPress)
Credit card phishing
3-D Secure OTP interception
Telegram-based C2
JavaScript-driven exfiltration

Defensive Recommendations

Never renew domains via email links
Always verify billing inside the official WordPress dashboard
Block newly registered domains at mail gateways
Monitor for Telegram-based data exfiltration patterns
Train users on fake 3-D Secure verification loops

Malware Analysis, Phishing, and Email Scams

Cybersecurity Blog

Category: Malware Analysis

Fake “Fast Ray VPN” Site on Cloudflare Pages Leading to PUA Downloads

Analysis of a Fake Cloudflare Turnstile Used as a Traffic Filtering Gate

Large-Scale Parasite SEO Campaign Using Amazon Style Pages on Cloudflare Pages

Fake WordPress Domain Renewal Phishing Email Stealing Credit Card And 3-D Secure OTP