Key takeaways
- Living off the land attacks use trusted platforms like Google Sites and Vercel to host phishing pages.
- Attackers exploit domain reputation and cloud infrastructure to bypass detection.
- Search engines are increasingly unreliable for navigating to financial platforms.
What Is a Living Off the Land Attack?
A living off the land attack is a technique where attackers use legitimate platforms, tools, or infrastructure to carry out malicious activity instead of building their own.
In phishing, this means hosting fake pages on trusted domains like Google Sites or Vercel, making them extremely difficult to detect.
When Living Off the Land Turns Phishing into a Science
In the world of cybersecurity, we often look for the scary stuff: custom malware, complex zero-day exploits, or suspicious domains. But the most effective attacks today aren’t coming from unknown infrastructure.
They are coming from the tools you use every day.
This is the era of living off the land phishing — a technique where attackers abandon their own infrastructure and instead operate entirely within trusted platforms.
The Infrastructure of Trust
Traditionally, phishing sites were easier to identify. Suspicious domains and poor reputation made detection straightforward.
Today, attackers host phishing pages on platforms like Google Sites, Vercel, Webflow, and Ghost.
They inherit trust by default.
SSL Certificates: These platforms provide valid SSL certificates, making every site appear secure.
Domain Authority: Security systems struggle to block trusted domains like sites.google.com or vercel.app.
Clean Redirects: Attackers use cloud apps to fingerprint visitors and selectively redirect real victims to malicious pages.
For a deeper understanding of how attackers exploit trusted environments, see fake investment platforms
The Search Engine Paradox
Search engines have become part of the attack surface.
Both legitimate brands and attackers bid on the same keywords.
The attacker often wins.
A user searching for platforms like Uniswap or MetaMask may see:
- A sponsored result from the real brand
- A sponsored result from an attacker
Both look identical.
Because display URLs can differ from final destinations, users are redirected through trusted platforms before landing on phishing pages.
For general awareness on search-based scams, refer to FTC scam alerts: https://consumer.ftc.gov/scams
Why Search Is No Longer Reliable
Search engines were once the primary gateway to the internet.
Today, they are a high-risk entry point for financial and sensitive platforms.
Attackers target multiple brands simultaneously, creating hundreds of phishing pages hosted on trusted services.
This turns search results into a competitive marketplace where the highest bidder — not the most legitimate source — wins visibility.
Indicators of Compromise
Here are real-world examples of living off the land phishing using Google Sites:
Attacks agains 1inch:
sites\[.\]google\[.\]com/view/1inch-o5
sites\[.\]google\[.\]com/view/1inch-swaps
Attacks agains Aerodrome Finance:
sites\[.\]google\[.\]com/view/aerodrome-o2
sites\[.\]google\[.\]com/view/aerodrome-o3
Attacks against Hyperliquid:
sites\[.\]google\[.\]com/view/hyperliquid-h2
sites\[.\]google\[.\]com/view/hyperliquid-h3
Attacks against Jupiter:
sites\[.\]google\[.\]com/view/jup-dex-v1
sites\[.\]google\[.\]com/view/jup-dex-v2
Attacks against Ledger wallet:
sites\[.\]google\[.\]com/view/ledger-com-live-start
sites\[.\]google\[.\]com/view/ledger-com-starts
Attacks against Morpho Labs:
sites\[.\]google\[.\]com/view/morpho-dapp-ad-166
sites\[.\]google\[.\]com/view/morpho-dapp-ad-187
Attacks against PancakeSwap:
sites\[.\]google\[.\]com/view/pancakeswap-finance-v3
sites\[.\]google\[.\]com/view/pancakeswap-h1
Attacks against Uniswap:
sites\[.\]google\[.\]com/view/uniswapdex-145
sites\[.\]google\[.\]com/view/uniswapdex-145
How to Protect Yourself
- Trust the URL, Not the Ad: Sponsored results are a bidding war. The highest bidder is often a thief, not the brand.
- Cloud Hosting is a Double-Edged Sword: Just because a site is hosted on Vercel, Webflow, or Google Sites does not make it legitimate. Attackers love these platforms because they may bypass traditional security filters!
- Kill the Search Habit: Never use a search engine to navigate to financial services, crypto exchanges, or sensitive logins like passport renewal, toll tax, tax services and so on.
- The Power of Bookmarks: Manually find the official URL once, verify it via the brand’s official social media or whitepaper, and bookmark it. From that point on, only use that bookmark to access the site.
- SEO is Compromised: AI-generated slop and malicious SEO and AEO poisoning mean that the first page of search results is no longer a curated list of the best sites, but a minefield of highest-paying actors. Search engines may also show you completely bogus phone numbers, which are not real!
Final Thoughts
Living off the land attacks succeed because they exploit trust in legitimate platforms.
They don’t break systems. They blend into them.
If attackers are abusing trusted platforms to launch phishing at scale, traditional detection methods are no longer enough.
Learn how to identify and take down phishing infrastructure across trusted domains with PhishFort digital threat protection.
