Tag: Threat Intelligence

Ongoing Phishing Campaign Abusing Google Cloud Storage to Redirect Users to Multiple Scam Pages

Anurag GawandeLeave a comment

A few days ago, I published a blog analyzing a phishing campaign abusing Google Cloud infrastructure:

Analysis of an Integrated Phishing Campaign Utilizing Google Cloud Infrastructure

While continuing to monitor the infrastructure used in that campaign, I discovered several additional URLs hosted on Google Cloud Storage (storage[.]googleapis[.]com) that appear to be part of the same ecosystem. These pages act as intermediate redirectors, sending victims to a wide variety of phishing and scam sites hosted primarily on the .autos TLD.

What is interesting is that a single Google Cloud Storage page appears to function as a central redirect hub, distributing victims across multiple scam themes such as fake surveys, reward scams, antivirus alerts, job offers, and account storage warnings.

Newly Observed Google Cloud Storage URLs

The following URLs were identified during the investigation:

storage[.]googleapis[.]com/whilewait/successcomes.html
storage[.]googleapis[.]com/sndrr/strow.html
storage[.]googleapis[.]com/noonchi/noon.html
storage[.]googleapis[.]com/sndrr/hmd.html
storage[.]googleapis[.]com/wetaobao/taobao.html
storage[.]googleapis[.]com/savelinge/goforward.html
storage[.]googleapis[.]com/lithesome/stepupnow.html

One particular page stood out during analysis:

This page appears to function as a traffic distribution page, redirecting visitors to multiple phishing sites depending on campaign configuration.

storage[.]googleapis[.]com/whilewait/successcomes.html

I also shared an earlier observation on X (Twitter):

Traffic Redirection to .autos Phishing Domains

The redirector page was observed sending users to various phishing domains, most of which are hosted under the .autos top-level domain.

These phishing sites are themed around different scams designed to lure victims into providing personal or financial information.

Below are the different campaign themes identified.

Netflix Reward Phishing Pages

Some pages impersonate Netflix reward programs, claiming users have won prizes or special promotions.

Domains involved:

digital-shift-us-bin[.]autos
searchonboardloadingrock[.]autos
mailanalyticsvolseries[.]autos
verifieddreamseriesultimate[.]autos
goldavgpenb[.]autos
alt-dig-gold-tab[.]autos
bio-easy-pe-loading[.]autos
analytics-mail-post-quite[.]autos
favouritebiochoicelife[.]autos

Additional domains were also shared by an X user @skocherhan quoting my earlier post:

Additional domains observed:

goldavgpenb[.]autos
alt-dig-gold-tab[.]autos
bio-easy-pe-loading[.]autos
analytics-mail-post-quite[.]autos
favouritebiochoicelife[.]autos

These pages typically present users with messages claiming they have been selected for a Netflix reward or promotional giveaway, encouraging them to complete a short survey to claim their prize.

Like the other scams in this campaign, the pages ultimately attempt to collect personal or payment information, often under the pretext of paying a small shipping fee or verifying eligibility.

Fake Dell Laptop Giveaway Survey

Another variation promotes a Dell laptop giveaway, typically claiming that users can win a Dell 16 DC16250 laptop worth $699.99.

Domains hosting these pages include:

avgeasyposttips[.]autos
searchonboardloadingrock[.]autos
alt-dig-gold-tab[.]autos
gold-avg-pe-nb[.]autos
tra4fficjumpchoiceclever[.]autos
digprtdreamavg[.]autos
shifttra4fficcapsmatch[.]autos
digitalshiftusbin[.]autos
spacevertabnb[.]autos
rot-digital-fly-f2f[.]autos

These pages typically:

  • Ask the victim to answer a few survey questions.
  • Display a congratulatory message.
  • Request credit card details to pay for shipping fees.

Fake “AI Data Assistant – Earn $500/day” Job Lure

Another theme used in this campaign promotes a fake online job opportunity, claiming users can earn $500 per day as an AI data assistant.

Observed domains:

verifieddreamseriesultimate[.]autos
pushbuttonsystem[.]net
lifeverifiedfavouritever[.]autos
mailanalyticsvolseries[.]autos
spacevertabnb[.]autos

These pages typically claim:

  • No experience required
  • High daily earnings
  • Work from home opportunities

Users are often redirected through several steps designed to collect personal information or push affiliate offers.

“Antivirus Subscription Expired” Phishing Pages

Another set of pages impersonates security alerts, claiming the user’s antivirus subscription has expired.

Domains observed:

safepremiumfreeriskfree[.]autos
nationalrecommendsafesmart[.]autos
deviceriskfreesafe[.]autos
freespeedpopular[.]autos
guardpopularinstalldevice[.]autos
speeddeviceboostfast[.]autos
programeffectivespeedfast[.]autos

These pages typically:

  • Display fake security warnings
  • Urge users to renew antivirus protection
  • Redirect victims to payment or affiliate pages.

“Cloud Storage Full” Phishing Pages

Another variation of this campaign uses cloud storage warnings, claiming the user’s storage account is full.

Observed domains:

stairs-table-fire.autos
tablewordstairs[.]autos
ceilwordinteriorbowl[.]autos
safe-premium-free-riskfree[.]autos
nationalprotectsmartfree[.]autos
guardpopularinstalldevice[.]autos
ceil-word-interior-bowl[.]autos
free-speed-popular-guard[.]autos
device-safe-clean-boost[.]autos
boost-premium-recommend-effective[.]autos
trk[.]independent-teacher-strength-nails[.]run

Additional domains were also shared by an X user quoting my earlier post:

These pages often mimic services such as:

  • Google Drive
  • iCloud

The goal is to scare victims into clicking through fake upgrade or security alerts.

Fake Walmart Survey Scam

Several phishing domains impersonate Walmart survey reward campaigns, often promising a free gift or prize in exchange for completing a short survey.

Domains observed:

jumpdiganalyticsprt[.]autos
avgeasyposttips[.]autos
cleververifieddigitalmatch[.]autos
altbio[.]autos
alt-dig-gold-tab[.]autos
matchstarsrotchoice[.]autos
directvolcapsus[.]autos
digprtdreamavg[.]autos

These pages typically display messages such as:

  • “Congratulations! You have been selected to receive a reward”
  • “Complete a short Walmart survey to claim your prize”

After the survey is completed, victims are usually asked to pay a small shipping fee, where credit card information is harvested.

Key Observation

One of the most notable aspects of this campaign is the central role of the Google Cloud Storage page:

storage[.]googleapis[.]com/whilewait/successcomes.html

During testing, this page was observed redirecting users to multiple phishing domains across different scam themes.

This suggests it is functioning as a traffic distribution or redirect infrastructure, allowing attackers to rotate phishing destinations while keeping the initial delivery URL stable.

Using Google Cloud Storage also adds a layer of trust, as the domain belongs to a legitimate cloud provider.

Another interesting observation is that a single .autos domain can serve multiple phishing page themes after redirection from the Google Cloud Storage page. Depending on the redirection path or parameters, the same domain may host different scams such as:

  • Fake surveys
  • Reward scams
  • Storage full alerts
  • Antivirus subscription warnings
  • Job offer lures

This behavior indicates that the attackers are likely using a shared phishing kit or centralized backend infrastructure, allowing them to quickly rotate scam themes while reusing the same domains.

Another observation is the high volume of phishing emails currently being distributed using this infrastructure. Over the past few days, I have been receiving around 40–50 phishing emails within a 24-hour period, many of which contain links to Google Cloud Storage pages that act as redirectors to the phishing ecosystem described in this report.

URLs repeatedly observed in these emails include:

storage[.]googleapis[.]com/whilewait/successcomes.html
storage[.]googleapis[.]com/savelinge/goforward.html

Indicators of Compromise (IOCs)

Google Cloud URLs

storage[.]googleapis[.]com/whilewait/successcomes.html
storage[.]googleapis[.]com/sndrr/strow.html
storage[.]googleapis[.]com/noonchi/noon.html
storage[.]googleapis[.]com/sndrr/hmd.html
storage[.]googleapis[.]com/wetaobao/taobao.html
storage[.]googleapis[.]com/savelinge/goforward.html
storage[.]googleapis[.]com/lithesome/stepupnow.html

Phishing Domains

digital-shift-us-bin[.]autos
searchonboardloadingrock[.]autos
mailanalyticsvolseries[.]autos
verifieddreamseriesultimate[.]autos
goldavgpenb[.]autos
alt-dig-gold-tab[.]autos
bio-easy-pe-loading[.]autos
analytics-mail-post-quite[.]autos
favouritebiochoicelife[.]autos
goldavgpenb[.]autos
alt-dig-gold-tab[.]autos
bio-easy-pe-loading[.]autos
analytics-mail-post-quite[.]autos
favouritebiochoicelife[.]autos
avgeasyposttips[.]autos
searchonboardloadingrock[.]autos
alt-dig-gold-tab[.]autos
gold-avg-pe-nb[.]autos
tra4fficjumpchoiceclever[.]autos
digprtdreamavg[.]autos
shifttra4fficcapsmatch[.]autos
digitalshiftusbin[.]autos
spacevertabnb[.]autos
rot-digital-fly-f2f[.]autos
verifieddreamseriesultimate[.]autos
pushbuttonsystem[.]net
lifeverifiedfavouritever[.]autos
mailanalyticsvolseries[.]autos
spacevertabnb[.]autos
safepremiumfreeriskfree[.]autos
nationalrecommendsafesmart[.]autos
deviceriskfreesafe[.]autos
freespeedpopular[.]autos
guardpopularinstalldevice[.]autos
speeddeviceboostfast[.]autos
programeffectivespeedfast[.]autos
stairs-table-fire.autos
tablewordstairs[.]autos
ceilwordinteriorbowl[.]autos
safe-premium-free-riskfree[.]autos
nationalprotectsmartfree[.]autos
guardpopularinstalldevice[.]autos
ceil-word-interior-bowl[.]autos
free-speed-popular-guard[.]autos
device-safe-clean-boost[.]autos
boost-premium-recommend-effective[.]autos
trk[.]independent-teacher-strength-nails[.]run
jumpdiganalyticsprt[.]autos
avgeasyposttips[.]autos
cleververifieddigitalmatch[.]autos
altbio[.]autos
alt-dig-gold-tab[.]autos
matchstarsrotchoice[.]autos
directvolcapsus[.]autos
digprtdreamavg[.]autos

This campaign demonstrates how attackers continue to abuse trusted cloud infrastructure such as Google Cloud Storage to host redirectors that distribute victims to multiple phishing pages.

By using legitimate cloud services as part of the attack chain, threat actors can increase credibility and reduce the likelihood of immediate blocking.

The use of large numbers of disposable .autos domains further allows attackers to rotate phishing pages frequently while keeping the delivery infrastructure intact.

In addition, the system appears to restrict repeated access attempts from the same IP address. After a user successfully reaches a phishing page through the redirector, subsequent attempts to access similar URLs from the same IP may result in the page failing to load or redirecting to unrelated sites. This behavior suggests the presence of IP-based filtering or traffic distribution logic, commonly used in malicious traffic distribution systems (TDS) to control how often a visitor can access the phishing infrastructure.

Crypto Compensation Scam: Fake BTC Payout Lure Abusing Survey & Payment Flows

Anurag Gawande1 Comment

Overview

I recently came across a message containing the following link:

hxxps://yandex[.]com/poll/PdZ7vgekGrNakuXZcpiB6b

At first, it didn’t look suspicious. It opened as a simple survey/poll page. But as I continued, the flow quickly shifted into a crypto reward scenario, claiming that I was eligible to receive a Bitcoin compensation payment.

And as expected with these kinds of lures, there’s a catch.

Before you can withdraw the funds, you’re asked to pay a small “commission” fee.

Full Scam Walkthrough (Video)

This gives a better idea of how smoothly the entire flow is designed to push the victim toward payment.

Infection / Lure flow

1. Initial Entry (Survey / Poll Page)

The flow starts with a Yandex poll link, which works as a kind of entry point.

This step likely serves multiple purposes. It helps make the interaction feel legitimate since it’s hosted on a known platform. It may also act as a basic filter to distinguish real users from automated systems. More importantly, it sets up the next stage of redirection.

2. Fake Bitcoin Compensation Page

After interacting with the poll, I was redirected to a page that looks like it belongs to a Bitcoin related service.

The page presents a sense of urgency by claiming that a new transaction of 0.943 BTC has been created and already marked as approved. It then introduces pressure by warning the user to withdraw the funds within 24 hours, a tactic commonly used to rush victims into taking immediate action without verifying the legitimacy of the claim.

This is where the emotional hook kicks in. Seeing a large amount like 0.943 BTC immediately grabs attention.

3. Social Engineering via Chat Assistant

Then a chat window appears, introducing a support agent.

The message explains that to complete the payment process, you need to register your profile in a compensation system. It sounds procedural and official, which is exactly the intention.

Shortly after, the real objective becomes clear.

You are asked to:

Pay $67 for legal profile registration services

4. Payment Gateway

Clicking the payment link takes you to a dedicated payment page.

Here, everything is carefully designed to appear legitimate and trustworthy. The page shows a specific payment amount of $67, provides a Bitcoin payment option via a QR code, and displays a wallet address to reinforce authenticity. On top of that, a countdown timer indicating invoice expiry adds urgency, subtly pressuring the user to complete the transaction quickly without questioning its validity.

The design mimics real crypto payment processors, which helps reduce suspicion.

The flow is quite structured and intentional.

It starts by engaging the user through a trusted platform, which lowers initial suspicion. Then it introduces a high-value crypto reward, creating excitement. A chat assistant adds a layer of interaction, making the process feel guided and legitimate.

Finally, the user is asked to pay a relatively small fee to unlock a much larger reward.

This is essentially an advance fee scam, adapted to fit into a crypto themed narrative.

Additional Variant Observed (Octa-Themed Flow)

While analyzing further, I encountered another link that follows the same backend scam logic, but with a different initial presentation.

The flow eventually leads to the same outcome, pay a commission to withdraw BTC.

Variant Walkthrough (Video)

1. Fake Account / Transfer Notification

This version starts with a fake dashboard impersonating Octa.

The page further attempts to lure users by displaying a message stating “You have a new money transfer”, along with a balance of 1.824 BTC. This presentation is crafted to create excitement and curiosity, making it seem like the user has unexpectedly received funds, while subtly encouraging them to engage with the page and follow the next steps without questioning its authenticity.

2. Fake Login & Temporary Password Flow

The user is asked to log in using a temporary password.

This step closely mimics real authentication flows to build trust and credibility. It displays a temporary password, includes an OTP style input field, and reinforces legitimacy with messaging like “Do not share this password!”. These familiar elements are designed to make the process feel secure and authentic, lowering suspicion while guiding the user further into the flow.

3. Transaction Dashboard

After logging in, the user is presented with a dashboard that appears highly convincing, displaying details such as the sender labeled as Octa, a balance of 1.824 BTC, and a status marked as paid. The layout, wording, and transaction details are all carefully crafted to create a sense of authenticity, making the entire interface look legitimate and encouraging the user to trust the process without suspicion.

4. Commission Justification

Before allowing any withdrawal, the platform introduces an additional requirement in the form of a commission fee of around $69, accompanied by an explanation about wallet limits and transfer rules. This step is designed to appear reasonable and procedural, giving the impression that the fee is a standard part of the process while subtly nudging the user to make a payment in order to access the supposed funds.

5. Payment Page

Just like the initial flow, the process ultimately leads to a familiar payment stage, presenting a Bitcoin payment request along with a QR code and a wallet address for convenience. An expiry timer is also displayed to create urgency, pressuring the user to act quickly and complete the payment without taking the time to question the legitimacy of the request.

What stands out is how the attackers reuse the same core scam but change the entry point.

I also looked into related activity on URLScan and found similar lures being actively scanned in the last couple of days, which indicates that this is not a one off campaign but something currently active and evolving.

Indicators of Compromise (IOCs)

URLs

Along with the observed infrastructure, I checked domain registration timelines, which further indicate that this campaign is relatively recent and actively being used.

  • cosibas[.]site – Registered on 2026-01-30
  • paybits[.]cc – Registered on 2026-02-02

hxxps://yandex[.]com/poll/PdZ7vgekGrNakuXZcpiB6b
hxxps://yandex[.]com/poll/GjSFvwyKcmEMXpzm6yDExc
hxxps://cosibas[.]site/bloc/anketa-sent.html
hxxps://cosibas[.]site/octa/
hxxps://paybits[.]cc/payment/

Cloudflare Pages “Continue Read” Redirect Kit Abused for Phishing, Adware, and Malware Delivery

Anurag Gawande1 Comment

I identified a long-running redirect infrastructure abusing Cloudflare Pages (pages.dev) to host benign-looking SEO articles (for example, celebrity “net worth” blogs or gaming help content) that display a forced “Continue reading / Continue Read” pop-up shortly after page load.

Once the user clicks the button, the browser is redirected into downstream infrastructure that may lead to:

  • Credential-harvesting phishing pages
  • Adware / PUP installers
  • Trojan or malware droppers
  • Fake browser download lures (observed: Opera-themed “diagnostics” funnel)
  • QR-code / fake CAPTCHA social-engineering pages

More than 250 URLs were observed using the same visual template and behavior, and historical evidence from URLScan shows activity persisting for 5 months, suggesting deliberate reputation building and SEO indexing.

Initial Infection Vector: Benign SEO Content on Cloudflare Pages

The landing pages appear as normal blog articles but automatically display a modal message:

“Continue reading by clicking the button below.”

This design ensures the redirect is user-initiated, helping bypass automated scanners and reputation systems.

Common characteristics

  • Hosted on: *.pages.dev
  • SEO-style article content
  • Modal overlay appears a few seconds after page load
  • Redirect only occurs after button click

Scale, Persistence, and Search Engine Exposure

Across the analyzed samples, more than 250 distinct URLs were identified showing identical UI and UX behavior, indicating the use of the same phishing template or kit deployed across different article topics. The activity has remained visible for approximately five months based on URLScan observations, suggesting persistence rather than short-lived campaigns. Additionally, some of these pages have been indexed in Google search results, significantly increasing the likelihood of exposure to real users and amplifying the overall risk posed by the operation.

Redirect Logic (Click-Gated Pre-Lander Behavior)

The redirect mechanism is implemented using delayed modal display and a click-triggered JavaScript redirect.

Key Observation

Across many different pages, most samples use the same redirect destination inside window.open()

This is important because it shows that the pages.dev sites are probably not standalone phishing pages created one by one. Instead, they appear to work more like traffic pre-landers that quietly direct visitors to a shared backend system. The key= parameter in the URL also looks intentional rather than random, and it is likely being used for tracking or routing within the campaign, possibly as a campaign ID, an affiliate tracking token, or even a value used to classify or group potential victims.

In short:

Multiple benign-looking SEO pages are acting as entry points into a centralized redirect infrastructure.

Central Redirector Role in the Infection Chain

The shared redirect endpoint:

hxxps://preservationwristwilling[.]com/utx3iw6i?key=<token>

likely serves as a Traffic Distribution System (TDS) decision node, responsible for:

  • Geo/IP filtering
  • Proxy/VPN detection
  • User-agent validation
  • Campaign routing
  • Conditional payload delivery

Simplified Kill Chain

Anti-Analysis Behavior: Proxy / VPN Detection

During testing, downstream pages performed VPN/Proxy checks.

If anonymity was detected, the page displayed:

“Anonymous Proxy detected.”

and stopped further redirection.

Security Impact

From a security perspective, this behavior is particularly concerning because it makes deeper analysis much harder. By blocking or redirecting automated environments, it can prevent sandboxes and researchers from ever reaching the real payload, which in turn leads to very low antivirus detection rates. As a result, automated scans may incorrectly appear clean, creating a false sense of safety even though malicious activity may still be present behind the scenes.

Observed Downstream Outcomes

1) Fake File Download Funnel – S3 ZIP Payload

One redirect path showed a “Your File Download Is Ready” page, leading to:

  • Intermediate download host (e.g., loaditfile[.]com)
  • Final payload stored on Amazon S3 (SetupFile-xxxx.zip)

2) Fake Browser Diagnostics – Opera Download Lure

Another branch displayed a fake compatibility/diagnostics score (e.g., 40/100) urging users to:

“Download Opera Browser”

This pattern feels very similar to the affiliate-driven browser installation funnels often seen in malvertising campaigns, where traffic is quietly redirected through multiple steps before reaching the final payload or monetization stage.

3) QR Code / Fake CAPTCHA Social Engineering

Some redirects presented:

  • “Prove you are not a robot”
  • QR code requiring mobile scan

Flows like this are commonly designed to move victims step by step toward the attacker’s real objective. In many cases, the final destination can be a phishing page that steals credentials, a subscription fraud scheme that silently charges the user, or even the delivery of mobile malware disguised as a legitimate download.

Payload Example and Low Detection Context

One observed executable sample (adware/PUP classification):

SHA256: be590100ecdcae5ce4b7b42f87082e201fcb2f38c114c8fbc6640ad9b9a0708a

VirusTotal showed detection

What makes this particularly notable is that the overall setup closely matches how modern malvertising Traffic Distribution Systems (TDS) typically operate. The infrastructure shows several familiar patterns, such as abusing a trusted hosting platform like Cloudflare Pages, allowing pages to be indexed by search engines to attract organic traffic, and using click-gated redirects to evade automated analysis. Behind the scenes, everything appears to funnel through a centralized redirect endpoint where the final payload can be delivered conditionally, depending on the visitor. This kind of design also supports multiple monetization paths rather than a single outcome. Taken together, it suggests we are not looking at just one phishing kit, but a broader shared redirect ecosystem designed to distribute traffic at scale.

Indicators of Compromise (IOCs)

Domain

  • preservationwristwilling[.]com
  • Path: /utx3iw6i
  • Query Parameter: key=<token>
  • loaditfile[.]com

Malicious Sample

  • be590100ecdcae5ce4b7b42f87082e201fcb2f38c114c8fbc6640ad9b9a0708a
  • Windows Executable
  • Classification: Adware/PUP
  • VirusTotal Detection

Network Indicator

preservationwristwilling[.]com/utx3iw6i?key=

URLScan.io search result

This campaign highlights how attackers carefully blend several techniques to stay under the radar and keep their operation running for long periods. By abusing legitimate hosting services, leveraging SEO poisoning to attract real users, using click-triggered redirects to avoid automated detection, and routing visitors through a centralized traffic system, they create a stealthy and resilient infrastructure capable of quietly delivering malware or other malicious outcomes over time

Large-Scale Parasite SEO Campaign Using Amazon Style Pages on Cloudflare Pages

Anurag GawandeLeave a comment

Overview

This blog documents a large-scale parasite SEO (search engine poisoning) campaign identified across dozens of domains hosted on Cloudflare Pages.

The campaign relies on a reused malicious HTML template that impersonates Amazon style product pages, injects gambling related SEO spam, and abuses canonical, Open Graph, and structured data fields to hijack the reputation of unrelated legitimate websites.

Analysis using urlscan hash searches confirms that the same page template is deployed at scale, with only the embedded “legitimate” URL changing between deployments. This behavior indicates an automated SEO spam operation, not isolated compromise.

Notably, the template also embeds a legitimate Amazon sign-in URL, further reinforcing the illusion of authenticity and increasing the phishing risk surface.

No direct credential harvesting or malware delivery was observed. Nevertheless, the activity is malicious by intent, designed to manipulate search rankings and mislead both users and search engines.

Campaign Overview

The campaign combines multiple well-known SEO abuse techniques:

  • Fake Amazon product page URL structures
  • Free static hosting infrastructure (primarily Cloudflare Pages)
  • Gambling keyword injection (e.g., slot gacor, JUDOLBET88)
  • Canonical and Open Graph metadata pointing to unrelated trusted websites
  • Hidden backlink farms to inflate SEO signals
  • Embedded legitimate links to trusted services (Amazon sign-in)

Amazon Product Page Impersonation

A representative example observed in this campaign:

/dp/B08ZJVVMT4?ref=MarsFS_eero_en

Key indicators:

  • /dp/<ASIN> is specific to Amazon product URLs
  • ref= parameters mimic Amazon referral tracking
  • No legitimate product details, pricing, or checkout functionality exists

These URLs are crafted solely to exploit search engine familiarity and trust, not to serve users.

Embedded Amazon Sign-In Link (Risk Amplifier)

One critical finding in the analyzed html(landing page) template is the presence of a real Amazon sign-in URL:

hxxps://www.amazon.com.au/ap/signin?openid.return_to\u003dhttps%3A%2F%2Fwww.amazon.com.au%2FAmazon-dual-band-Wi-Fi-router-Charcoal%2Fproduct-reviews%2FB0DG4WZZPV%3Fie%3DUTF8\u0026openid.identity\u003dhttp%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0%2Fidentifier_select\u0026openid.assoc_handle\u003dauflex\u0026openid.mode\u003dcheckid_setup\u0026marketPlaceId\u003dA39IBJ37TRP1C6\u0026language\u003den\u0026openid.claimed_id\u003dhttp%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0%2Fidentifier_select\u0026openid.ns\u003dhttp%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0

Although the link itself points to a legitimate Amazon domain, its inclusion serves several malicious purposes:

  • Trust reinforcement – Users who notice an Amazon login link may assume the page itself is legitimate.
  • Phishing pre-conditioning – The page trains users to expect Amazon authentication, lowering suspicion if future variants introduce credential-harvesting overlays or fake login forms.
  • Search engine deception – Legitimate outbound links to trusted brands can reduce automated suspicion and increase perceived legitimacy.

Infrastructure Abuse: Cloudflare Pages

A significant portion of the identified pages are hosted on pages.dev, indicating widespread abuse of Cloudflare Pages.

Why attackers favor this platform:

Attackers increasingly favor this platform because it offers free and frictionless deployment, allowing malicious infrastructure to be spun up with minimal effort or cost. The ability to rapidly propagate and clone sites enables large-scale campaigns using identical templates across numerous URLs. Built-in HTTPS support lends a false sense of legitimacy to victims while reducing setup overhead for attackers. Finally, takedown at scale is challenging without direct provider intervention, making the infrastructure resilient and attractive for sustained phishing and social-engineering operations.

The presence of identical HTML hashes across multiple pages.dev sites strongly suggests automated mass deployment.

Reputation Hijacking via Metadata Manipulation

One of the most critical behaviors in this campaign is the deliberate misuse of trusted third-party websites via metadata fields:

  • canonical
  • og:url
  • Structured data (Organization url)

In each deployment, these fields are set to different legitimate, unrelated websites, including:

  • Government portals
  • Educational institutions
  • Corporate websites
  • NGOs and public services

Why this technique is effective

Search engines treat canonical and structured data fields as strong trust signals. By embedding legitimate URLs, attackers attempt to:

  • Launder authority into spam pages
  • Artificially boost ranking
  • Associate gambling content with reputable entities
  • Pollute search results tied to trusted sites

The rotation of abused legitimate URLs across deployments confirms this is intentional and systematic, not accidental misconfiguration.

Template Reuse at Scale (urlscan Evidence)

Using urlscan hash-based searching, numerous sites were identified that share the same HTML fingerprint, indicating widespread reuse of a single template. These pages exhibit an identical DOM structure, contain the same hidden link blocks, and reuse identical SEO spam content across deployments. The only meaningful difference between each instance is the abused “legitimate” URL embedded into the template, highlighting automated cloning and large-scale propagation of the campaign.

This strongly confirms the presence of centralized template generation, with a single source producing identical page structures across multiple deployments. The consistent reuse further indicates automated deployment mechanisms, enabling rapid and large-scale rollout of these pages. Together, these patterns point to clear campaign level coordination, rather than isolated or opportunistic activity.

Such behavior is typical of industrial SEO poisoning operations.

Hidden Link Farm Injection

Each page contains a hidden HTML section (display:none) populated with:

  • Dozens of gambling-related anchor texts
  • Links pointing to the selected legitimate website for that deployment

Hidden link farms are a strong indicator of malicious SEO activity, designed to manipulate backlink metrics without user visibility.

Hidden Gambling Keyword

SLOT888, NAGATOTO, ANGKANET, ANGKABET, LADANGTOTO, BRI4D, SULE4D, WD YUK, OVOGG, GASING77, BROMO777, AGEN88, HQTOTO805, INFINI88, LAWU88, KENZO88, RAPI88, BETON88, KUDA4D, RAJA4D, LOTUS88, GIGA88, SULE88, TAMBANG88, MINION88, DEWA99, DEWA333, DEWATOTO, RAJA PAITO, RAJAJUDI, RAJAJP, RAJADEWA55, PADUKARAJA, WEBINI33, HYPE168, BOLA88, DEVIL666, 91DEWA, RAJA111, ROG777, TOTO77, TOP1TOTO, IBC4D, KIPASWIN, VANTASLOT, MANGJP, SAVEFROM IG, YANDEX EU, DAUN77, RAJAKOI, BIMABET, IDCASH, REDMITOTO, MEGA228, MEGAWIN228, INDOLOTTERY88, AMERIKATOTO, AMERIKA TOTO, BOLA GACOR, DADU ONLINE, DEWA666, WDBOS, SURYA123, RAYA123, JARWO123, MANCINGDUIT, MANCING DUIT, PANGKALANTOTO, NAGASAON, KAOS TOGEL, WOLES TOGEL, VESPA TOGEL, PINTU TOGEL, NADIMTOGEL, OMUTOGEL, DAYAK77, ALEXISTOGEL77, SASARANJITU, EUROTOGEL, JEBOLTOGEL, GENGTOTO, FENDI188, BIGWIN, MEGAWIN, MAHAZEUS, HARTA500, RTP JOSTOTO, ARYA88, NANASTOTO, DEPOBOS, JEJUSLOT, TARIKWDKU88, IDN SLOT, IDN POKER, SLOT88, SLOT88 RESMI, SLOT ONLINE, SLOT GACOR, SLOT THAILAND, SITUS TOGEL, TOTO TOGEL, TOTO SLOT, TOTO 4D, TOGEL ONLINE, TOGEL 4D, LUNA TOGEL, SITUS RAFFI AHMAD, SITUS TOTO 4D, SITUS TOGEL 4D, SITUS TOTO TOGEL, SITUS TOGEL TERBESAR, SITUS TOGEL RESMI, SITUS TOGEL TERPERCAYA, SLOT DEPO 10k, SLOT DEPO 10000, DEPO 10 BONUS 10, DEPO 20 BONUS 20, PADI777, SGP777, MPO100, MPO222, MPO007, MPOCASH, MPONUSA, MPO888, MPO77, MPOGACOR, LOS303, POS4D, OLLO4D, GAJAH77, DOLAR168, STARBET77, PANDAWA138, ZET77, KINGBET88, PERI909, ALADIN88, LIGA303, SITOOLS88, MPOJUTA, HAKIM77, SPBO, JET777, MINO4D, KOKO333, BATMAN123, MAXPRO88, MAMI188 LOGIN, TANAH4D, BAGONG88, IMPIAN888, SLOTONLINE, TEKTOK4D, MPO69, SLOTRESMI, PARTNER4D, MANJA88, PASUKAN99, TOOLS367, DAYANG4D, DEWABET138, HORMAT88, BUMI33, ROYALBET, ROYAL51, PAIRBET, WALET789, SULTAN99, MENARA88, SUBUR89, JOKER555, ZONA138, SARANATOGEL, SLOTGOPAY, 888WIN, SLOTQQ, SUPERSPIN555, QQZEUS, SOLO4D, 4DTOGEL, 88ASIA, SUPERWD, OLO4D, 4DASIA, QQ88, PINTU4D, QQ888, BETTOGEL, CAPIT4D, BOLASIAR, BADAI4D, ASIA118, MBO777, BIG365, ASOKA88, JURAGAN69, SUHU189, SUHU69, SUHUTOTO, KLIKSLOT, OLX888, PREMANSLOT, SAKTI123, RATUMACAU, KANTORBOLA, MT777, JP777, MPO99, ASIA4D, DEWA4D, STAR777, MPO4D, 75WBET, 56KBET, 55KBET, 55BET, 33BET, 777LIVE, 777BET, PC777, INA777, GM777, DEWAGACOR, HOKI88, HOKI188, PAY4D, ASIABET88, SKY777, JP88, 188BET, GACOR4D, SLOT303, SLOT77, DEWI78, UNYIL4D, JOSTOTO, ASIASLOT, SLOT99, BOS4D, AGEN188, AHA4D, STARSLOT, CUANSLOT, SITUS4D, PASARBARIS, WIN888, WIN777, BET77, BET88, IDNSLOT, 999BET, TOPSLOT, JUARASLOT, AGEN168, SLOT121, RAJA777, 77SLOT, PGSOFT, 88SLOT, ADA777, NEKO77, DRAGON77, INDOWIN, HOKI303, GACOR303, BET188, SLOTCUAN, AGENSLOT, RTPSLOT, VIRAL4D, JP4D, 100TOGEL, GBO138, DOSENTOTO, PARITOTO, JUDOLBET, GACOR888, HAHA303, KOKO288, AIRBET, ASIA303, TOKOWIN99, VIOBET, PRAGMATIC77, VIRAL99, GENG88, GOKIL303, GRAND77, SENIOR4D, XXTOTO, MILD88, DEWAASIA, BOSS88, INDOMASTER88, WADAH4D, CUAN368, BOLAPELANGI, FAIRTOTO, BINTANGMPO, AKARSLOT, SBOTOP, PITASLOT, KAISAR88, JAZZ188, ASIAPLAY, KAPTEN33, CRAZYRICH88, MESSIPOKER, SALDO4D, SURAT4D, REDWIN69, HOMEBET88, PG TOTO, DANA TOTO, MPO SLOT, NEXUS SLOT, SLOT TOGEL, SLOT MAXWIN, SLOT 777, gacor303, slot303, SLOT DEPO 10K, SLOT HOKI, HOKI SLOT, SLOT GACOR 5000, TOGEL HK, JUDOLBET88, SLOT BRI, SLOT BCA, PRAGMATIC PLAY, JAYASLOT, LINK GACOR, HONDA4D, SARANGSBOBET, ALEXIS4D, LEVIS4D, PULAU88, GGPLAY88, INI SLOT 88, PLAYKING88, JAM GACOR DAN POLA OLYMPUS, JAM GACOR MAXWIN, JAM GACOR SLOT MAHJONG WAYS 1, JAM GACOR SUGAR MAXWIN, JAM JACKPOT SLOT, OLX123, IWANTOTO, SLOT88JP, GACOR88, RATUBET, RAJABET, JUDI4D, BANDARTOTO, SLOTASIAN, DANAGACOR, TOTO888, TOTO303, TOTO777, JUARABET, ASUAGACOR, 4DTOTO, DANA888, PGSLOT, JUDI2D, AGEN2D, EMAS4D, RACUNSLOT, MASTER77, GACOR168, SLOTASIA88, JUDITOTO, FAFABET, GACOR999, BET89, SLOT22

The presence of hundreds of gambling keywords hidden from users but visible to crawlers is one of the strongest static indicators of malicious SEO activity, even in the absence of malware or credential harvesting code.

Indicators of Compromise (IOCs)

Domains

  • *.pages.dev

Behavioral Patterns

  • /dp/B0
  • pages.dev/dp/
  • Canonical: unrelated trusted domain
  • Embedded legitimate sign-in URL

This campaign represents a coordinated parasite SEO operation that combines brand impersonation, reputation hijacking, and infrastructure abuse.
While no direct credential theft was observed, the inclusion of a legitimate Amazon sign-in link significantly increases the phishing risk potential, indicating a design that is deceptive by intent and easily extensible into active scams.