Phishing: Fake cloud storage warning tracked

For many, emails are found directly in the spam folder, but they occasionally bypass classification and land in the inbox: warnings about cloud storage regarding overflowing storage space or errors in payment processes. They don't always serve the masterminds to scam login credentials. IT researchers have observed websites with affiliate marketing as a target.

This is reported by the IT security company Malwarebytes in its blog. While investigating a phishing email regarding alleged payment problems with cloud storage, IT analysts landed on the Freecash app. According to another blog post by Malwarebytes, it ranked second in the Apple iOS charts for free apps. It promises users money for, for example, watching TikTok videos. However, the dream of a salary quickly evaporates, as the app merely directs users to online games like Monopoly Go or Disney Solitaire, promising money for completing time-limited in-game challenges.

The masterminds behind the phishing emails, whose links ultimately lead to the installation of the Freecash app, are therefore not directing users to scrolling websites to pay them money, but to games for which they might spend money or watch paid advertisements. According to Malwarebytes, Freecash is backed by the Berlin-based company Almedia, which describes the platform as a way to connect mobile game developers with users who will likely install and spend money on them.

Large-scale Cloud Storage Subscription Scam

Malwarebytes also refers to Bleepingcomputer, which has identified further targets in this worldwide scam based on alleged cloud storage emails with “warnings to recipients that their photos, files, and accounts would be blocked or deleted due to alleged payment problems.” The links in the emails refer, for example, to “https://storage.googleapis.com/[..]/redirect.html” and, by referencing Google's Cloud Storage, give the impression of being legitimate. The redirection found by Malwarebytes' IT researchers there led to a website already known and listed in the blocklist, where phishing had been observed before.

After several redirects, a website displays a fake CAPTCHA, which, after being solved, redirects to the Freecash domain. Bleepingcomputer has observed further targets, including VPN offers, little-known security software, or subscription-based offers with no connection to cloud storage. The authors conclude: “Instead of directly stealing login credentials, the campaign appears to be aimed at monetizing traffic by redirecting victims to affiliate offers where operators are paid for sign-ups or conversions.”

Malwarebytes recommends accessing your accounts via the official website and not by clicking on links in unsolicited emails. Users should also not share their passwords with others. Interaction with websites that attract visitors with these methods should be avoided. The question remains open as to how successful this scam is. It should deter some people that they react to a supposedly faulty payment and end up being asked to install an app that promises them money for watching TikTok videos or offers games, VPN services, and the like. Apparently, a small number of victims is enough to make money from it; otherwise, these fraud attempts would subside.

(dmk)