MALWAREBYTES reports a fake cloud storage alert that leads to Freecash, part of a large-scale campaign described as a cloud storage subscription scam by BleepingComputer. The scam emails claim a payment issue and urge recipients to update payment details, with a subject line noting that the recipient’s cloud account has been locked and that photos and videos will be removed.
The example email provides a Subscription ID of 9371188, Product Cloud Storage Premium, and an Expiration Date of 24 Jan 2026, and it redirects users through a chain that begins at storage.googleapis[.]com and ends at freecash[.]com after a fake CAPTCHA. The redirect flow involves domains such as feed.headquartoonjpn[.]com and hx5.submitloading[.]com, which Malwarebytes has previously blocked in other campaigns.
The end goal appears to monetise traffic by funneling victims to affiliate offers rather than stealing credentials directly, with promoted products including VPN services and other subscription-based offerings. Ironically, the phishing email itself offers solid security tips, but users are urged to avoid clicking unsolicited links and to use real-time anti-malware protection.
According to BleepingComputer, the campaign targeted users worldwide with repeated emails threatening blocking or deletion due to alleged payment failures.