Scammers Hide Behind Scraped New York Times Pages and Google Cloud to Flood Inboxes

Researchers uncovered a vast spam network using scraped New York Times articles as decoys for security scanners. Attackers route emails through free Google Cloud Storage links, fingerprint visitors, and serve phishing content only to selected targets. The operation spans 12,700 servers in 55 countries.
Scammers Hide Behind Scraped New York Times Pages and Google Cloud to Flood Inboxes
Written by Emma Rogers

Security researchers recently uncovered a sprawling operation. It relies on stolen New York Times articles and free Google Cloud resources. The goal? Slip past email filters and trick automated scanners while delivering phishing links to chosen targets.

More than 12,700 servers across 55 countries form the backbone. Many host near-identical pages stuffed with copied Times content. The setup looks legitimate to security tools. To actual victims, it serves something far more dangerous.

The campaign starts with spam emails. These promise rewards, urgent payments or financial opportunities. Links inside route first through Google Cloud Storage. That trusted domain boosts deliverability. Filters see a reputable source and often let the message through.

From there, the path grows complex. Visitors encounter fingerprinting scripts. These analyze browser details, IP address and behavior. Only selected targets proceed to malicious landing pages. Everyone else? They see what appears to be a news site.

The decoy strategy marks a calculated evolution in evasion tactics.

Researchers at Comparitech traced the infrastructure after examining ordinary consumer inboxes. They followed chains of redirects. What they found was a coordinated global network designed for scale and stealth. (Comparitech)

Pages served to non-targets displayed scraped content from The New York Times. Articles on business, technology and world events filled the screens. The text matched real Times stories. Layout mimicked the newspaper’s style. Automated scanners, which often crawl links for suspicious signals, encountered familiar, reputable journalism instead of obvious fraud.

But the trick runs deeper. Attackers exploit new Google Cloud accounts. These come with $300 in free credits. Enough to host static HTML pages and redirection scripts for weeks or months. Once credits run low, operators simply spin up fresh buckets. The cycle repeats. Google gains another customer. Scammers gain another layer of legitimacy. (TechRadar)

Timing matters. Emails arrive at moments when recipients might expect financial news. Some reference recent market moves or government announcements. The scraped Times material reinforces the theme. A page about investment trends feels plausible when the email promised stock tips.

And then the switch happens. Targeted users see different content. Fake login forms. Requests for payment details. Malware download prompts. The fingerprinting ensures scanners and researchers rarely witness the real payload.

Some landing pages add another barrier. They present CAPTCHA challenges or simple image verification. Automated security crawlers stall. Human victims click through. The extra step buys time and raises the cost of detection.

This isn’t isolated. Recent reports show similar abuse of cloud platforms. Aryaka documented multi-stage fraud campaigns using Google Cloud Storage for redirection and profiling. Attackers combine weak authentication, layered redirects and analytics to profile visitors before serving tailored scams. (Aryaka)

Malwarebytes detailed a January 2026 phishing wave. Criminals abused Google Cloud Application Integration to send messages from a legitimate [email protected] address. Emails reached thousands of organizations. They led through trusted Google domains before hitting fake Microsoft 365 login pages. (Malwarebytes)

The New York Times itself has covered the broader rise of AI-assisted scams. In May, the paper noted how generative tools now produce flawless websites and cloned voices. Traditional red flags have vanished. Victims face polished copy and convincing design. (The New York Times)

Yet this particular campaign stands out for its deliberate use of real journalistic content as camouflage. Scraping the Times provides more than filler text. It supplies context, authority and topical relevance that generic lorem ipsum cannot match.

Scale impresses. Twelve thousand servers. Fifty-five countries. The infrastructure suggests professional operators with resources to maintain and rotate assets. Many servers host identical NYT-heavy pages. Consistency points to centralized control or shared tooling.

Defenders face tough questions. How do you block content that looks like the world’s most respected news outlet? How do you score links from storage.google.com without false positives that cripple legitimate business use?

Google has not publicly detailed specific responses to this campaign. The company routinely disables abusive accounts and improves abuse detection. Free credits remain a draw for developers and a vector for attackers.

Security teams report mixed results. Some email gateways now weigh cloud storage links more carefully. Others scan for signs of fingerprinting scripts or unusual redirect chains. Progress is incremental.

Comparitech researchers emphasized the dual role of the NYT content. It fools both filters and casual visitors. Only careful inspection reveals the identical blocks of text across unrelated domains. Patterns emerge when you look at hundreds of samples.

So what comes next? Expect more sophisticated decoys. Perhaps scraped content from additional reputable publishers. Or AI-generated articles styled after real outlets. The bar for evasion keeps rising.

Users should treat unexpected financial emails with fresh skepticism. Verify links independently. Avoid clicking through cloud storage redirects when the message feels off. Organizations need better outbound monitoring and stricter cloud account policies.

The operation reveals a truth about modern spam. Reputation laundering now extends beyond sender domains. It borrows the authority of journalism and the infrastructure of big tech. And it works at global scale.

Recent coverage from ITNerd blog highlighted the same network. It described the setup as a “global spam machine” that hides in plain sight behind trusted brands. The analysis reinforces how fingerprinting and content decoys combine to defeat both automated and human scrutiny. (ITNerd)

One detail lingers. The attackers don’t need to compromise The New York Times. They simply copy its output. In an open web, high-quality content becomes raw material for deception. The newspaper’s success at producing trusted information ironically supplies the perfect disguise.

Security vendors race to adapt heuristics. Some now look for duplicated text signatures across suspicious domains. Others model expected behavior for legitimate news aggregators. The cat-and-mouse game accelerates once again.

Yet the core insight remains simple. Trusted platforms and reputable content can be weaponized. Scammers don’t always build from scratch. Sometimes they borrow what already commands attention and confidence.

That borrowing powers inboxes worldwide with offers too good to ignore. Until you look closer. Then the polished surface cracks. And the machinery behind it comes into view.

Subscribe for Updates

CybersecurityUpdate Newsletter

The CybersecurityUpdate Email Newsletter is your essential source for the latest in cybersecurity news, threat intelligence, and risk management strategies. Perfect for IT security professionals and business leaders focused on protecting their organizations.

By signing up for our newsletter you agree to receive content related to ientry.com / webpronews.com and our affiliate partners. For additional information refer to our terms of service.

Notice an error?

Help us improve our content by reporting any issues you find.

Get the WebProNews newsletter delivered to your inbox

Get the free daily newsletter read by decision makers

Subscribe
Advertise with Us

Ready to get started?

Get our media kit

Advertise with Us