Cloud providers normally never delete files as soon as they fail to make a payment, but inboxes continue to be populated with notices saying that photos and documents will be “blocked” or deleted unless they renew the subscription immediately.
Users have been incessantly bombarded with a series of cloud-storage notices of “payment failure” and “storage fullness,” which attempt to incite them to the act of clicking. The messages are shared across numerous sender domains and subjects, more frequently adding the name of a person, email address, spoofed account identities, or a particular date in order to appear official. The strength tap remains unchanged the email messages allege that the backups will cease to sync, and photos, videos, and files will be lost unless something is done right now.
In the samples monitored, all emails eventually redirected to a link where it starts with storage.googleapis.com which is a valid address on Google cloud storage. That option is important as it can reduce suspicion at the point where the user is making the decision to either or not to click. The first page operates as a redirector (light), which gives the visitors further to scam pages with every new domain. Those pages masquerade as some recognizable “cloud portal,” lean on cloud-related branding, and show a dramatic warning that storage is full and data is no longer being backed-up.
Ever since the flow turns into a funnel guided. There is a large “Continue” button which directs to a false “scan,” which will always say that Photos, Drive, and Mail are full. The last stage is set as an upgrade, occasionally as a joke as some sort of limited time reward deal, but not a true purchase process of storage. Rather, the victims are redirected into affiliate-based checkout flows meant to obtain payment card information or redirect them into irrelevant subscription enrollments. It is a typical form of the modern scam: the email notification induces fear, the fake diagnosis offers an additional piece of evidence and the check-out site earns money on the mouse click.
Billings are not the predecessor of all the lures that are dedicated to storage. An iCloud-themed version, intercepted by mail, uses a less complex hook, indicating the mailbox is at “97%” capacity, and redirects to a custom-created upgrade portal which was created to collect logins. In this fraud, the phishing webpage relies on the thum.io screenshot service to display a background image of the legitimate company site of the victim, which creates a feeling of authenticity that the login request is on the victim company site. The phishing URL itself might also contain the email address of the target as a parameter and this minor detail can make the page look personalized and valid.
In a wider sense, the scammers have been taking advantage of trusted cloud capabilities to bypass individuals and filters. A pattern recorded indicates that phishing emails with a sender of noreply-application-integration-google.com are sent via a legitimate “send email” option, and then directed the victims in loops through Google-hosted URLs to a look-alike Microsoft 365 sign-in page. The process varies, though the result remains the same: well-known infrastructure is turned to camouflage to steal credentials.
A tell is practical, rather than cosmetic. Legitimate cloud providers do not fix the billing by redirecting the users to “storage scans,” third party upgrade portals or irrelevant checkout pages. To verify the real account status, one should open the official app of the provider or simply enter the known domain into the browser and not by clicking on an embed.
Recipients that prefer formal reporting line are simple to follow: reportphishing@apwg.org to report phishing, and report scams at the FTC fraud portal. The urgency of the situation in all variants is the same: do not click, do not fill it in, and do not enter the card data into the pages that were opened after a fear-induced email by the “storage.”
