How Scareware Emails Now Push Legitimate Subscriptions

January 8, 2026 Anurag GawandeLeave a comment

Introduction

“Cloud Storage Full” phishing emails have been circulating for years, exploiting a simple but effective fear, the risk of losing personal data. While the lure itself hasn’t changed much, the way these scams make money has evolved significantly.

Earlier versions of this scam typically pushed users toward fake login pages or outright fraudulent payment forms. What’s increasingly being observed now is a more subtle and harder to detect approach manipulating users into paying for legitimate products through deceptive redirection and affiliate abuse.

This blog walks through a recent phishing email that abuses trusted infrastructure end to end, starting from a scareware email, moving through Google Cloud hosted landing pages and fake Cloudflare verification, and ultimately landing on a legitimate McAfee checkout page. It also ties this activity to a previously observed TotalDrive “storage full” scam, showing this is not an isolated incident but part of a broader trend.

The Phishing Email

The email claims that the recipient’s cloud account has been blocked and warns that photos and videos will be removed unless immediate action is taken. The wording is deliberately alarming and designed to create panic rather than clarity.

There is no mention of a real cloud provider, no account identifiers, and no prior context. Instead, the message relies entirely on urgency payment failure, account suspension, and imminent data loss to push the recipient toward clicking the embedded link.

Email Header Observations

The email was delivered via Mailgun, a widely used email service provider that is often abused for large scale phishing and affiliate scams.

Redirect Chain Analysis

Google Cloud Storage as the First Landing Page
Clicking the link in the email redirects the user to a page hosted on Google Cloud Storage.

Using a trusted Google domain helps attackers bypass URL reputation checks and lowers user suspicion.

Fake Cloudflare CAPTCHA Gate

Before reaching the final destination, the user is presented with a Cloudflare CAPTCHA and security check. The page displays fake scan progress and reassuring messages indicating the URL is safe.

This step serves multiple purposes. It filters automated scanners, delays analysis, and reinforces the illusion of legitimacy. This behavior closely matches what is commonly seen in Traffic Distribution Systems (TDS) used by modern phishing operations.

Intermediate Landing Page: Fake “Cloud Billing” Portal (DigitalOcean Spaces)

After clicking the link in the email, the redirection chain leads to an intermediate page hosted on DigitalOcean Spaces:

hxxps://bbb6565u5gg.sfo3.digitaloceanspaces.com/cloud_billing_v6z.html

This page presents itself as a cloud billing or subscription status portal, using generic “Cloud” branding rather than naming any real provider.

The page includes fabricated subscription details such as a storage plan size and an expiration date, creating the illusion of a real account state. None of this information is personalized or verifiable it exists purely to reinforce the scareware narrative introduced in the email.

From a technical perspective, hosting this page on DigitalOcean Spaces provides the same advantages seen elsewhere in this campaign, trusted infrastructure, HTTPS by default, and low friction for rapid deployment and rotation.

Transition to Monetization: Redirect to McAfee via Affiliate Link

Clicking “Renew Now”does not collect credentials or payment details on this page. Instead, it immediately redirects the user to a legitimate McAfee checkout page offering McAfee+ Advanced – Individual.

At first glance, everything appears legitimate, HTTPS, real branding, and a genuine payment flow. However, a closer look at the URL reveals multiple affiliate tracking parameters, including values such as affid, cjevent, and PID.

These parameters confirm that the redirect is intentional and monetized. Each completed purchase likely generates affiliate commission for the attacker. No card skimming occurs the victim enters payment details directly on McAfee’s site but the purchase itself was induced through deception.

A Familiar Pattern: The TotalDrive “Storage Full” Scam

This technique isn’t new.

A similar “storage full” phishing flow was previously documented by me on X, where victims were redirected to secure[.]totaldrive[.]com after interacting with fake iCloud warnings.

Fake Cloud Storage Full email. Clicking the link triggers multiple redirects:
storage[.googleapis[.com to bestqualityleadss[.]shop
Victims are shown a fake Drive Full & Upgrade Now page leading to secure.totaldrive[.]com to push paid storage.
misleading ads. #Phishing #scam… pic.twitter.com/fHODjA96Nd
— Anurag (@Malwarehunterr) December 17, 2025

What These Campaigns Have in Common

Across both the McAfee and TotalDrive scams, the same elements appear repeatedly. Users are confronted with fake cloud warnings, routed through trusted platforms, reassured by fake security checks, and ultimately pushed toward legitimate checkout pages. At no point are credentials stolen instead, users are manipulated into making payments they never intended to make.

Attack Flow

This campaign abuses legitimate services at every stage, email delivery platforms, cloud hosting, security branding, and affiliate marketing systems. The abuse lies not in any single component, but in how they are chained together to mislead the user.

Email Infrastructure

Sending IP – 193.24.209.200

Email Service Provider – Mailgun (legitimate ESP abused for phishing)

Observed Header Indicators

X-Mailgun-Tag: post
X-Mailgun-Track-Clicks: false

Sender Domain Pattern – *.xenravo.biz.ua

Phishing And Staging URLs

Google Cloud Storage

hxxps://storage.googleapis.com/sndrr/nobotgogomailbali_v2.html

DigitalOcean Spaces – Fake Cloud Billing Page

hxxps://bbb6565u5gg.sfo3.digitaloceanspaces.com/cloud_billing_v6z.html

Redirect And Tracking Indicators

Affiliate / Tracking Parameters Observed

affid
cjevent
PID
SID
csrc=cj
clickid
lptoken

These parameters confirm affiliate-based monetization rather than credential harvesting.

Final Monetization Endpoint

McAfee Checkout

hxxps://www.mcafee/.com/en-us/ipz/feyncart/2web/payment.html?culture=en-us&moguid=c4b71670-79cc-49cd-bc1e-69f1a705e26c&tm_local_cart_ab_test_variant=tn_xs_small_screen_pop-up_q3_23&ccpubn=en-us:direct:aff:mai&SID=882390700&cjevent=113666eaebd511f0836900670a82b820&affid=1494&csrc=cj&csrcl2=The+Affiliati+Network%2C+LLC&ccoe=direct&ccoel2=am&ccstype=partnerlinks_113666eaebd511f0836900670a82b820&CID=242012&PID=101616859

Analysis of a Fake Cloudflare Turnstile Used as a Traffic Filtering Gate

January 7, 2026 Anurag GawandeLeave a comment

Overview

During analysis of a phishing URL chain, I observed a fake Cloudflare Turnstile verification page acting as an intelligent traffic filtering gate. Rather than protecting a website, this page selectively blocks, redirects, or allows access based on geolocation, proxy usage, and browser fingerprinting.

This phishing infrastructure demonstrates Traffic Distribution System like behavior commonly used in modern phishing and scam operations to evade security researchers, sandboxes, and automated crawlers while delivering payloads only to high-confidence victims.

Redirection Chain

The Cloudflare page is not legitimate and does not load any official Turnstile JavaScript. Instead, it is a static imitation combined with heavy client side fingerprinting.

Fake Cloudflare Verification Page

The landing page is designed to closely mimic a legitimate Cloudflare interstitial, creating a false sense of trust for the victim. It displays the French language title “Un instant…“, along with Cloudflare style branding and logos to appear authentic. A fake human verification checkbox labeled “Vérifiez que vous êtes humain” is presented, imitating Cloudflare’s Turnstile challenge, despite performing no real validation. The page also shows a fabricated Ray ID, a detail commonly associated with genuine Cloudflare error or verification pages. To further reinforce legitimacy, the attackers include links pointing to real Cloudflare policy and documentation pages, a tactic intended to reduce suspicion and bypass casual scrutiny by users and automated scanners alike.

However, no real Turnstile challenge exists. All logic is client side JavaScript + server side decision APIs, not Cloudflare infrastructure.

Browser Fingerprinting & Bot Detection

Once the page loads, the script silently collects a detailed browser fingerprint, including:

navigator.userAgent
navigator.webdriver (Selenium / automation detection)
Headless browser indicators
Plugin count and language settings
WebGL vendor and renderer (VM / sandbox detection)
LocalStorage and SessionStorage availability
Timezone information
Honeypot fields (website, email-confirm) to detect autofill bots

All of this data is packaged and exfiltrated to backend endpoints such as:

/_internal/base/validation/collect_info.php
/_internal/api/dashboard.php

Geo Blocking and Proxy Detection

Using Fiddler with different exit locations, the server’s decision engine responses were captured. These responses clearly show country based blocking and proxy detection logic.

This confirms explicit detection of hosting providers, VPNs, and proxy infrastructure, even when traffic originates from France.

Decoy Redirect Behavior

If a visitor is classified as blocked or suspicious, the page redirects to:

hxxps://www.mediapart.fr

This serves multiple purposes:

Makes the site appear benign during casual inspection
Misleads analysts and automated scanners
Prevents security tools from accessing the real phishing content

Only approved traffic (likely residential French IPs, real browsers) proceeds to the malicious landing page.

Why France?

Several indicators strongly suggest that this phishing infrastructure is specifically oriented toward French users. The landing page content and interface are fully localized in French (fr_FR), indicating deliberate language targeting rather than generic reuse. Access behavior appears to follow a country based allow list model, where visitors from non-French regions are blocked or redirected. When access conditions are not met, the site redirects to a well-known French news outlet as a decoy, helping the infrastructure appear benign during casual checks. Additionally, all CAPTCHA elements and user interface text are presented entirely in French, reinforcing the assessment that this setup is designed to blend seamlessly into a French browsing context and evade suspicion among local users.

Infrastructure Observations

Both domains involved in the redirect chain were newly registered on 2026-01-06.

Detection And Hunting Notes

Defenders should look for:

Fake Cloudflare Turnstile pages without official Cloudflare JS
Hidden honeypot form fields
/collect_info.php or /dashboard.php?action=visit patterns
Conditional redirects to legitimate news sites
Different behavior between residential vs proxy IPs

Confirmed malicious phishing traffic distribution system.

This is not a Cloudflare protection page.
It is a selective traffic gate designed to evade analysis and deliver phishing content only to real victims.

Source

Large-Scale Parasite SEO Campaign Using Amazon Style Pages on Cloudflare Pages

January 5, 2026 Anurag GawandeLeave a comment

Overview

This blog documents a large-scale parasite SEO (search engine poisoning) campaign identified across dozens of domains hosted on Cloudflare Pages.

The campaign relies on a reused malicious HTML template that impersonates Amazon style product pages, injects gambling related SEO spam, and abuses canonical, Open Graph, and structured data fields to hijack the reputation of unrelated legitimate websites.

Analysis using urlscan hash searches confirms that the same page template is deployed at scale, with only the embedded “legitimate” URL changing between deployments. This behavior indicates an automated SEO spam operation, not isolated compromise.

Notably, the template also embeds a legitimate Amazon sign-in URL, further reinforcing the illusion of authenticity and increasing the phishing risk surface.

No direct credential harvesting or malware delivery was observed. Nevertheless, the activity is malicious by intent, designed to manipulate search rankings and mislead both users and search engines.

Campaign Overview

The campaign combines multiple well-known SEO abuse techniques:

Fake Amazon product page URL structures
Free static hosting infrastructure (primarily Cloudflare Pages)
Gambling keyword injection (e.g., slot gacor, JUDOLBET88)
Canonical and Open Graph metadata pointing to unrelated trusted websites
Hidden backlink farms to inflate SEO signals
Embedded legitimate links to trusted services (Amazon sign-in)

Amazon Product Page Impersonation

A representative example observed in this campaign:

/dp/B08ZJVVMT4?ref=MarsFS_eero_en

Key indicators:

/dp/<ASIN> is specific to Amazon product URLs
ref= parameters mimic Amazon referral tracking
No legitimate product details, pricing, or checkout functionality exists

These URLs are crafted solely to exploit search engine familiarity and trust, not to serve users.

Embedded Amazon Sign-In Link (Risk Amplifier)

One critical finding in the analyzed html(landing page) template is the presence of a real Amazon sign-in URL:

hxxps://www.amazon.com.au/ap/signin?openid.return_to\u003dhttps%3A%2F%2Fwww.amazon.com.au%2FAmazon-dual-band-Wi-Fi-router-Charcoal%2Fproduct-reviews%2FB0DG4WZZPV%3Fie%3DUTF8\u0026openid.identity\u003dhttp%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0%2Fidentifier_select\u0026openid.assoc_handle\u003dauflex\u0026openid.mode\u003dcheckid_setup\u0026marketPlaceId\u003dA39IBJ37TRP1C6\u0026language\u003den\u0026openid.claimed_id\u003dhttp%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0%2Fidentifier_select\u0026openid.ns\u003dhttp%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0

Although the link itself points to a legitimate Amazon domain, its inclusion serves several malicious purposes:

Trust reinforcement – Users who notice an Amazon login link may assume the page itself is legitimate.
Phishing pre-conditioning – The page trains users to expect Amazon authentication, lowering suspicion if future variants introduce credential-harvesting overlays or fake login forms.
Search engine deception – Legitimate outbound links to trusted brands can reduce automated suspicion and increase perceived legitimacy.

Infrastructure Abuse: Cloudflare Pages

A significant portion of the identified pages are hosted on pages.dev, indicating widespread abuse of Cloudflare Pages.

Why attackers favor this platform:

Attackers increasingly favor this platform because it offers free and frictionless deployment, allowing malicious infrastructure to be spun up with minimal effort or cost. The ability to rapidly propagate and clone sites enables large-scale campaigns using identical templates across numerous URLs. Built-in HTTPS support lends a false sense of legitimacy to victims while reducing setup overhead for attackers. Finally, takedown at scale is challenging without direct provider intervention, making the infrastructure resilient and attractive for sustained phishing and social-engineering operations.

The presence of identical HTML hashes across multiple pages.dev sites strongly suggests automated mass deployment.

Reputation Hijacking via Metadata Manipulation

One of the most critical behaviors in this campaign is the deliberate misuse of trusted third-party websites via metadata fields:

canonical
og:url
Structured data (Organization url)

In each deployment, these fields are set to different legitimate, unrelated websites, including:

Government portals
Educational institutions
Corporate websites
NGOs and public services

Why this technique is effective

Search engines treat canonical and structured data fields as strong trust signals. By embedding legitimate URLs, attackers attempt to:

Launder authority into spam pages
Artificially boost ranking
Associate gambling content with reputable entities
Pollute search results tied to trusted sites

The rotation of abused legitimate URLs across deployments confirms this is intentional and systematic, not accidental misconfiguration.

Template Reuse at Scale (urlscan Evidence)

Using urlscan hash-based searching, numerous sites were identified that share the same HTML fingerprint, indicating widespread reuse of a single template. These pages exhibit an identical DOM structure, contain the same hidden link blocks, and reuse identical SEO spam content across deployments. The only meaningful difference between each instance is the abused “legitimate” URL embedded into the template, highlighting automated cloning and large-scale propagation of the campaign.

This strongly confirms the presence of centralized template generation, with a single source producing identical page structures across multiple deployments. The consistent reuse further indicates automated deployment mechanisms, enabling rapid and large-scale rollout of these pages. Together, these patterns point to clear campaign level coordination, rather than isolated or opportunistic activity.

Such behavior is typical of industrial SEO poisoning operations.

Hidden Link Farm Injection

Each page contains a hidden HTML section (display:none) populated with:

Dozens of gambling-related anchor texts
Links pointing to the selected legitimate website for that deployment

Hidden link farms are a strong indicator of malicious SEO activity, designed to manipulate backlink metrics without user visibility.

Hidden Gambling Keyword

SLOT888, NAGATOTO, ANGKANET, ANGKABET, LADANGTOTO, BRI4D, SULE4D, WD YUK, OVOGG, GASING77, BROMO777, AGEN88, HQTOTO805, INFINI88, LAWU88, KENZO88, RAPI88, BETON88, KUDA4D, RAJA4D, LOTUS88, GIGA88, SULE88, TAMBANG88, MINION88, DEWA99, DEWA333, DEWATOTO, RAJA PAITO, RAJAJUDI, RAJAJP, RAJADEWA55, PADUKARAJA, WEBINI33, HYPE168, BOLA88, DEVIL666, 91DEWA, RAJA111, ROG777, TOTO77, TOP1TOTO, IBC4D, KIPASWIN, VANTASLOT, MANGJP, SAVEFROM IG, YANDEX EU, DAUN77, RAJAKOI, BIMABET, IDCASH, REDMITOTO, MEGA228, MEGAWIN228, INDOLOTTERY88, AMERIKATOTO, AMERIKA TOTO, BOLA GACOR, DADU ONLINE, DEWA666, WDBOS, SURYA123, RAYA123, JARWO123, MANCINGDUIT, MANCING DUIT, PANGKALANTOTO, NAGASAON, KAOS TOGEL, WOLES TOGEL, VESPA TOGEL, PINTU TOGEL, NADIMTOGEL, OMUTOGEL, DAYAK77, ALEXISTOGEL77, SASARANJITU, EUROTOGEL, JEBOLTOGEL, GENGTOTO, FENDI188, BIGWIN, MEGAWIN, MAHAZEUS, HARTA500, RTP JOSTOTO, ARYA88, NANASTOTO, DEPOBOS, JEJUSLOT, TARIKWDKU88, IDN SLOT, IDN POKER, SLOT88, SLOT88 RESMI, SLOT ONLINE, SLOT GACOR, SLOT THAILAND, SITUS TOGEL, TOTO TOGEL, TOTO SLOT, TOTO 4D, TOGEL ONLINE, TOGEL 4D, LUNA TOGEL, SITUS RAFFI AHMAD, SITUS TOTO 4D, SITUS TOGEL 4D, SITUS TOTO TOGEL, SITUS TOGEL TERBESAR, SITUS TOGEL RESMI, SITUS TOGEL TERPERCAYA, SLOT DEPO 10k, SLOT DEPO 10000, DEPO 10 BONUS 10, DEPO 20 BONUS 20, PADI777, SGP777, MPO100, MPO222, MPO007, MPOCASH, MPONUSA, MPO888, MPO77, MPOGACOR, LOS303, POS4D, OLLO4D, GAJAH77, DOLAR168, STARBET77, PANDAWA138, ZET77, KINGBET88, PERI909, ALADIN88, LIGA303, SITOOLS88, MPOJUTA, HAKIM77, SPBO, JET777, MINO4D, KOKO333, BATMAN123, MAXPRO88, MAMI188 LOGIN, TANAH4D, BAGONG88, IMPIAN888, SLOTONLINE, TEKTOK4D, MPO69, SLOTRESMI, PARTNER4D, MANJA88, PASUKAN99, TOOLS367, DAYANG4D, DEWABET138, HORMAT88, BUMI33, ROYALBET, ROYAL51, PAIRBET, WALET789, SULTAN99, MENARA88, SUBUR89, JOKER555, ZONA138, SARANATOGEL, SLOTGOPAY, 888WIN, SLOTQQ, SUPERSPIN555, QQZEUS, SOLO4D, 4DTOGEL, 88ASIA, SUPERWD, OLO4D, 4DASIA, QQ88, PINTU4D, QQ888, BETTOGEL, CAPIT4D, BOLASIAR, BADAI4D, ASIA118, MBO777, BIG365, ASOKA88, JURAGAN69, SUHU189, SUHU69, SUHUTOTO, KLIKSLOT, OLX888, PREMANSLOT, SAKTI123, RATUMACAU, KANTORBOLA, MT777, JP777, MPO99, ASIA4D, DEWA4D, STAR777, MPO4D, 75WBET, 56KBET, 55KBET, 55BET, 33BET, 777LIVE, 777BET, PC777, INA777, GM777, DEWAGACOR, HOKI88, HOKI188, PAY4D, ASIABET88, SKY777, JP88, 188BET, GACOR4D, SLOT303, SLOT77, DEWI78, UNYIL4D, JOSTOTO, ASIASLOT, SLOT99, BOS4D, AGEN188, AHA4D, STARSLOT, CUANSLOT, SITUS4D, PASARBARIS, WIN888, WIN777, BET77, BET88, IDNSLOT, 999BET, TOPSLOT, JUARASLOT, AGEN168, SLOT121, RAJA777, 77SLOT, PGSOFT, 88SLOT, ADA777, NEKO77, DRAGON77, INDOWIN, HOKI303, GACOR303, BET188, SLOTCUAN, AGENSLOT, RTPSLOT, VIRAL4D, JP4D, 100TOGEL, GBO138, DOSENTOTO, PARITOTO, JUDOLBET, GACOR888, HAHA303, KOKO288, AIRBET, ASIA303, TOKOWIN99, VIOBET, PRAGMATIC77, VIRAL99, GENG88, GOKIL303, GRAND77, SENIOR4D, XXTOTO, MILD88, DEWAASIA, BOSS88, INDOMASTER88, WADAH4D, CUAN368, BOLAPELANGI, FAIRTOTO, BINTANGMPO, AKARSLOT, SBOTOP, PITASLOT, KAISAR88, JAZZ188, ASIAPLAY, KAPTEN33, CRAZYRICH88, MESSIPOKER, SALDO4D, SURAT4D, REDWIN69, HOMEBET88, PG TOTO, DANA TOTO, MPO SLOT, NEXUS SLOT, SLOT TOGEL, SLOT MAXWIN, SLOT 777, gacor303, slot303, SLOT DEPO 10K, SLOT HOKI, HOKI SLOT, SLOT GACOR 5000, TOGEL HK, JUDOLBET88, SLOT BRI, SLOT BCA, PRAGMATIC PLAY, JAYASLOT, LINK GACOR, HONDA4D, SARANGSBOBET, ALEXIS4D, LEVIS4D, PULAU88, GGPLAY88, INI SLOT 88, PLAYKING88, JAM GACOR DAN POLA OLYMPUS, JAM GACOR MAXWIN, JAM GACOR SLOT MAHJONG WAYS 1, JAM GACOR SUGAR MAXWIN, JAM JACKPOT SLOT, OLX123, IWANTOTO, SLOT88JP, GACOR88, RATUBET, RAJABET, JUDI4D, BANDARTOTO, SLOTASIAN, DANAGACOR, TOTO888, TOTO303, TOTO777, JUARABET, ASUAGACOR, 4DTOTO, DANA888, PGSLOT, JUDI2D, AGEN2D, EMAS4D, RACUNSLOT, MASTER77, GACOR168, SLOTASIA88, JUDITOTO, FAFABET, GACOR999, BET89, SLOT22

The presence of hundreds of gambling keywords hidden from users but visible to crawlers is one of the strongest static indicators of malicious SEO activity, even in the absence of malware or credential harvesting code.

Indicators of Compromise (IOCs)

Domains

*.pages.dev

Behavioral Patterns

/dp/B0
pages.dev/dp/
Canonical: unrelated trusted domain
Embedded legitimate sign-in URL

This campaign represents a coordinated parasite SEO operation that combines brand impersonation, reputation hijacking, and infrastructure abuse.
While no direct credential theft was observed, the inclusion of a legitimate Amazon sign-in link significantly increases the phishing risk potential, indicating a design that is deceptive by intent and easily extensible into active scams.

Malware Analysis, Phishing, and Email Scams

Cybersecurity Blog

Month: January 2026

Analysis of a Fake Cloudflare Turnstile Used as a Traffic Filtering Gate

Large-Scale Parasite SEO Campaign Using Amazon Style Pages on Cloudflare Pages