Ongoing Phishing Campaign Abusing Google Cloud Storage to Redirect Users to Multiple Scam Pages

March 14, 2026 Anurag GawandeLeave a comment

A few days ago, I published a blog analyzing a phishing campaign abusing Google Cloud infrastructure:

Analysis of an Integrated Phishing Campaign Utilizing Google Cloud Infrastructure

While continuing to monitor the infrastructure used in that campaign, I discovered several additional URLs hosted on Google Cloud Storage (storage[.]googleapis[.]com) that appear to be part of the same ecosystem. These pages act as intermediate redirectors, sending victims to a wide variety of phishing and scam sites hosted primarily on the .autos TLD.

What is interesting is that a single Google Cloud Storage page appears to function as a central redirect hub, distributing victims across multiple scam themes such as fake surveys, reward scams, antivirus alerts, job offers, and account storage warnings.

Newly Observed Google Cloud Storage URLs

The following URLs were identified during the investigation:

storage[.]googleapis[.]com/whilewait/successcomes.html
storage[.]googleapis[.]com/sndrr/strow.html
storage[.]googleapis[.]com/noonchi/noon.html
storage[.]googleapis[.]com/sndrr/hmd.html
storage[.]googleapis[.]com/wetaobao/taobao.html
storage[.]googleapis[.]com/savelinge/goforward.html
storage[.]googleapis[.]com/lithesome/stepupnow.html

One particular page stood out during analysis:

This page appears to function as a traffic distribution page, redirecting visitors to multiple phishing sites depending on campaign configuration.

storage[.]googleapis[.]com/whilewait/successcomes.html

I also shared an earlier observation on X (Twitter):

18 more phishing emails in just two days.

🔗 Sample URLs:

storage[.]googleapis[.]com/whilewait/successcomes.html
storage[.]googleapis[.]com/sndrr/strow.html
storage[.]googleapis[.]com/noonchi/noon.html
storage[.]googleapis[.]com/sndrr/hmd.html… https://t.co/Wsh5ahUiTu pic.twitter.com/5TuRjWogxt
— Anurag (@Malwarehunterr) February 27, 2026

Traffic Redirection to .autos Phishing Domains

The redirector page was observed sending users to various phishing domains, most of which are hosted under the .autos top-level domain.

These phishing sites are themed around different scams designed to lure victims into providing personal or financial information.

Below are the different campaign themes identified.

Netflix Reward Phishing Pages

Some pages impersonate Netflix reward programs, claiming users have won prizes or special promotions.

Domains involved:

digital-shift-us-bin[.]autos
searchonboardloadingrock[.]autos
mailanalyticsvolseries[.]autos
verifieddreamseriesultimate[.]autos
goldavgpenb[.]autos
alt-dig-gold-tab[.]autos
bio-easy-pe-loading[.]autos
analytics-mail-post-quite[.]autos
favouritebiochoicelife[.]autos

Additional domains were also shared by an X user @skocherhan quoting my earlier post:

#phishing

golddreamflyrock[.]autos
yeahf2fprtctrl[.]autos
smartdreambio[.]autos
kolloadingshiftanalytics[.]autos
analyticsprt[.]autos
voldel[.]autos
onboardnatf2fdirect[.]autos
tipsonboardvolnbllc[.]autos
moviefiz[.]autos
d3b7b967ea[.]treadwear[.]autos
movies-4u[.]autos… https://t.co/LcgfefVofd
— ܛܔܔܔܛܔܛܔܛ (@skocherhan) March 12, 2026

Additional domains observed:

goldavgpenb[.]autos
alt-dig-gold-tab[.]autos
bio-easy-pe-loading[.]autos
analytics-mail-post-quite[.]autos
favouritebiochoicelife[.]autos

These pages typically present users with messages claiming they have been selected for a Netflix reward or promotional giveaway, encouraging them to complete a short survey to claim their prize.

Like the other scams in this campaign, the pages ultimately attempt to collect personal or payment information, often under the pretext of paying a small shipping fee or verifying eligibility.

Fake Dell Laptop Giveaway Survey

Another variation promotes a Dell laptop giveaway, typically claiming that users can win a Dell 16 DC16250 laptop worth $699.99.

Domains hosting these pages include:

avgeasyposttips[.]autos
searchonboardloadingrock[.]autos
alt-dig-gold-tab[.]autos
gold-avg-pe-nb[.]autos
tra4fficjumpchoiceclever[.]autos
digprtdreamavg[.]autos
shifttra4fficcapsmatch[.]autos
digitalshiftusbin[.]autos
spacevertabnb[.]autos
rot-digital-fly-f2f[.]autos

These pages typically:

Ask the victim to answer a few survey questions.
Display a congratulatory message.
Request credit card details to pay for shipping fees.

Fake “AI Data Assistant – Earn $500/day” Job Lure

Another theme used in this campaign promotes a fake online job opportunity, claiming users can earn $500 per day as an AI data assistant.

Observed domains:

verifieddreamseriesultimate[.]autos
pushbuttonsystem[.]net
lifeverifiedfavouritever[.]autos
mailanalyticsvolseries[.]autos
spacevertabnb[.]autos

These pages typically claim:

No experience required
High daily earnings
Work from home opportunities

Users are often redirected through several steps designed to collect personal information or push affiliate offers.

“Antivirus Subscription Expired” Phishing Pages

Another set of pages impersonates security alerts, claiming the user’s antivirus subscription has expired.

Domains observed:

safepremiumfreeriskfree[.]autos
nationalrecommendsafesmart[.]autos
deviceriskfreesafe[.]autos
freespeedpopular[.]autos
guardpopularinstalldevice[.]autos
speeddeviceboostfast[.]autos
programeffectivespeedfast[.]autos

These pages typically:

Display fake security warnings
Urge users to renew antivirus protection
Redirect victims to payment or affiliate pages.

“Cloud Storage Full” Phishing Pages

Another variation of this campaign uses cloud storage warnings, claiming the user’s storage account is full.

Observed domains:

stairs-table-fire.autos
tablewordstairs[.]autos
ceilwordinteriorbowl[.]autos
safe-premium-free-riskfree[.]autos
nationalprotectsmartfree[.]autos
guardpopularinstalldevice[.]autos
ceil-word-interior-bowl[.]autos
free-speed-popular-guard[.]autos
device-safe-clean-boost[.]autos
boost-premium-recommend-effective[.]autos
trk[.]independent-teacher-strength-nails[.]run

Additional domains were also shared by an X user quoting my earlier post:

#Phishing

accurate-cyber-proactive-defense[.]autos
accurate-guard-optimized-shield[.]autos
accurate-safe-reliable-defense[.]autos
accurate-safe-smart-defense[.]autos
accurate-smart-authorized-efficient[.]autos
accurate-smart-safe-advanced[.]autos… https://t.co/qIXObR7gLy
— ܛܔܔܔܛܔܛܔܛ (@skocherhan) March 12, 2026

These pages often mimic services such as:

Google Drive
iCloud

The goal is to scare victims into clicking through fake upgrade or security alerts.

Fake Walmart Survey Scam

Several phishing domains impersonate Walmart survey reward campaigns, often promising a free gift or prize in exchange for completing a short survey.

Domains observed:

jumpdiganalyticsprt[.]autos
avgeasyposttips[.]autos
cleververifieddigitalmatch[.]autos
altbio[.]autos
alt-dig-gold-tab[.]autos
matchstarsrotchoice[.]autos
directvolcapsus[.]autos
digprtdreamavg[.]autos

These pages typically display messages such as:

“Congratulations! You have been selected to receive a reward”
“Complete a short Walmart survey to claim your prize”

After the survey is completed, victims are usually asked to pay a small shipping fee, where credit card information is harvested.

Key Observation

One of the most notable aspects of this campaign is the central role of the Google Cloud Storage page:

storage[.]googleapis[.]com/whilewait/successcomes.html

During testing, this page was observed redirecting users to multiple phishing domains across different scam themes.

This suggests it is functioning as a traffic distribution or redirect infrastructure, allowing attackers to rotate phishing destinations while keeping the initial delivery URL stable.

Using Google Cloud Storage also adds a layer of trust, as the domain belongs to a legitimate cloud provider.

Another interesting observation is that a single .autos domain can serve multiple phishing page themes after redirection from the Google Cloud Storage page. Depending on the redirection path or parameters, the same domain may host different scams such as:

Fake surveys
Reward scams
Storage full alerts
Antivirus subscription warnings
Job offer lures

This behavior indicates that the attackers are likely using a shared phishing kit or centralized backend infrastructure, allowing them to quickly rotate scam themes while reusing the same domains.

Another observation is the high volume of phishing emails currently being distributed using this infrastructure. Over the past few days, I have been receiving around 40–50 phishing emails within a 24-hour period, many of which contain links to Google Cloud Storage pages that act as redirectors to the phishing ecosystem described in this report.

URLs repeatedly observed in these emails include:

storage[.]googleapis[.]com/whilewait/successcomes.html
storage[.]googleapis[.]com/savelinge/goforward.html

Indicators of Compromise (IOCs)

Google Cloud URLs

storage[.]googleapis[.]com/whilewait/successcomes.html
storage[.]googleapis[.]com/sndrr/strow.html
storage[.]googleapis[.]com/noonchi/noon.html
storage[.]googleapis[.]com/sndrr/hmd.html
storage[.]googleapis[.]com/wetaobao/taobao.html
storage[.]googleapis[.]com/savelinge/goforward.html
storage[.]googleapis[.]com/lithesome/stepupnow.html

Phishing Domains

digital-shift-us-bin[.]autos
searchonboardloadingrock[.]autos
mailanalyticsvolseries[.]autos
verifieddreamseriesultimate[.]autos
goldavgpenb[.]autos
alt-dig-gold-tab[.]autos
bio-easy-pe-loading[.]autos
analytics-mail-post-quite[.]autos
favouritebiochoicelife[.]autos
goldavgpenb[.]autos
alt-dig-gold-tab[.]autos
bio-easy-pe-loading[.]autos
analytics-mail-post-quite[.]autos
favouritebiochoicelife[.]autos
avgeasyposttips[.]autos
searchonboardloadingrock[.]autos
alt-dig-gold-tab[.]autos
gold-avg-pe-nb[.]autos
tra4fficjumpchoiceclever[.]autos
digprtdreamavg[.]autos
shifttra4fficcapsmatch[.]autos
digitalshiftusbin[.]autos
spacevertabnb[.]autos
rot-digital-fly-f2f[.]autos
verifieddreamseriesultimate[.]autos
pushbuttonsystem[.]net
lifeverifiedfavouritever[.]autos
mailanalyticsvolseries[.]autos
spacevertabnb[.]autos
safepremiumfreeriskfree[.]autos
nationalrecommendsafesmart[.]autos
deviceriskfreesafe[.]autos
freespeedpopular[.]autos
guardpopularinstalldevice[.]autos
speeddeviceboostfast[.]autos
programeffectivespeedfast[.]autos
stairs-table-fire.autos
tablewordstairs[.]autos
ceilwordinteriorbowl[.]autos
safe-premium-free-riskfree[.]autos
nationalprotectsmartfree[.]autos
guardpopularinstalldevice[.]autos
ceil-word-interior-bowl[.]autos
free-speed-popular-guard[.]autos
device-safe-clean-boost[.]autos
boost-premium-recommend-effective[.]autos
trk[.]independent-teacher-strength-nails[.]run
jumpdiganalyticsprt[.]autos
avgeasyposttips[.]autos
cleververifieddigitalmatch[.]autos
altbio[.]autos
alt-dig-gold-tab[.]autos
matchstarsrotchoice[.]autos
directvolcapsus[.]autos
digprtdreamavg[.]autos

This campaign demonstrates how attackers continue to abuse trusted cloud infrastructure such as Google Cloud Storage to host redirectors that distribute victims to multiple phishing pages.

By using legitimate cloud services as part of the attack chain, threat actors can increase credibility and reduce the likelihood of immediate blocking.

The use of large numbers of disposable .autos domains further allows attackers to rotate phishing pages frequently while keeping the delivery infrastructure intact.

In addition, the system appears to restrict repeated access attempts from the same IP address. After a user successfully reaches a phishing page through the redirector, subsequent attempts to access similar URLs from the same IP may result in the page failing to load or redirecting to unrelated sites. This behavior suggests the presence of IP-based filtering or traffic distribution logic, commonly used in malicious traffic distribution systems (TDS) to control how often a visitor can access the phishing infrastructure.

How Scareware Emails Now Push Legitimate Subscriptions

January 8, 2026 Anurag Gawande2 Comments

Introduction

“Cloud Storage Full” phishing emails have been circulating for years, exploiting a simple but effective fear, the risk of losing personal data. While the lure itself hasn’t changed much, the way these scams make money has evolved significantly.

Earlier versions of this scam typically pushed users toward fake login pages or outright fraudulent payment forms. What’s increasingly being observed now is a more subtle and harder to detect approach manipulating users into paying for legitimate products through deceptive redirection and affiliate abuse.

This blog walks through a recent phishing email that abuses trusted infrastructure end to end, starting from a scareware email, moving through Google Cloud hosted landing pages and fake Cloudflare verification, and ultimately landing on a legitimate McAfee checkout page. It also ties this activity to a previously observed TotalDrive “storage full” scam, showing this is not an isolated incident but part of a broader trend.

The Phishing Email

The email claims that the recipient’s cloud account has been blocked and warns that photos and videos will be removed unless immediate action is taken. The wording is deliberately alarming and designed to create panic rather than clarity.

There is no mention of a real cloud provider, no account identifiers, and no prior context. Instead, the message relies entirely on urgency payment failure, account suspension, and imminent data loss to push the recipient toward clicking the embedded link.

Email Header Observations

The email was delivered via Mailgun, a widely used email service provider that is often abused for large scale phishing and affiliate scams.

Redirect Chain Analysis

Google Cloud Storage as the First Landing Page
Clicking the link in the email redirects the user to a page hosted on Google Cloud Storage.

Using a trusted Google domain helps attackers bypass URL reputation checks and lowers user suspicion.

Fake Cloudflare CAPTCHA Gate

Before reaching the final destination, the user is presented with a Cloudflare CAPTCHA and security check. The page displays fake scan progress and reassuring messages indicating the URL is safe.

This step serves multiple purposes. It filters automated scanners, delays analysis, and reinforces the illusion of legitimacy. This behavior closely matches what is commonly seen in Traffic Distribution Systems (TDS) used by modern phishing operations.

Intermediate Landing Page: Fake “Cloud Billing” Portal (DigitalOcean Spaces)

After clicking the link in the email, the redirection chain leads to an intermediate page hosted on DigitalOcean Spaces:

hxxps://bbb6565u5gg.sfo3.digitaloceanspaces.com/cloud_billing_v6z.html

This page presents itself as a cloud billing or subscription status portal, using generic “Cloud” branding rather than naming any real provider.

The page includes fabricated subscription details such as a storage plan size and an expiration date, creating the illusion of a real account state. None of this information is personalized or verifiable it exists purely to reinforce the scareware narrative introduced in the email.

From a technical perspective, hosting this page on DigitalOcean Spaces provides the same advantages seen elsewhere in this campaign, trusted infrastructure, HTTPS by default, and low friction for rapid deployment and rotation.

Transition to Monetization: Redirect to McAfee via Affiliate Link

Clicking “Renew Now”does not collect credentials or payment details on this page. Instead, it immediately redirects the user to a legitimate McAfee checkout page offering McAfee+ Advanced – Individual.

At first glance, everything appears legitimate, HTTPS, real branding, and a genuine payment flow. However, a closer look at the URL reveals multiple affiliate tracking parameters, including values such as affid, cjevent, and PID.

These parameters confirm that the redirect is intentional and monetized. Each completed purchase likely generates affiliate commission for the attacker. No card skimming occurs the victim enters payment details directly on McAfee’s site but the purchase itself was induced through deception.

A Familiar Pattern: The TotalDrive “Storage Full” Scam

This technique isn’t new.

A similar “storage full” phishing flow was previously documented by me on X, where victims were redirected to secure[.]totaldrive[.]com after interacting with fake iCloud warnings.

Fake Cloud Storage Full email. Clicking the link triggers multiple redirects:
storage[.googleapis[.com to bestqualityleadss[.]shop
Victims are shown a fake Drive Full & Upgrade Now page leading to secure.totaldrive[.]com to push paid storage.
misleading ads. #Phishing #scam… pic.twitter.com/fHODjA96Nd
— Anurag (@Malwarehunterr) December 17, 2025

What These Campaigns Have in Common

Across both the McAfee and TotalDrive scams, the same elements appear repeatedly. Users are confronted with fake cloud warnings, routed through trusted platforms, reassured by fake security checks, and ultimately pushed toward legitimate checkout pages. At no point are credentials stolen instead, users are manipulated into making payments they never intended to make.

Attack Flow

This campaign abuses legitimate services at every stage, email delivery platforms, cloud hosting, security branding, and affiliate marketing systems. The abuse lies not in any single component, but in how they are chained together to mislead the user.

Email Infrastructure

Sending IP – 193.24.209.200

Email Service Provider – Mailgun (legitimate ESP abused for phishing)

Observed Header Indicators

X-Mailgun-Tag: post
X-Mailgun-Track-Clicks: false

Sender Domain Pattern – *.xenravo.biz.ua

Phishing And Staging URLs

Google Cloud Storage

hxxps://storage.googleapis.com/sndrr/nobotgogomailbali_v2.html

DigitalOcean Spaces – Fake Cloud Billing Page

hxxps://bbb6565u5gg.sfo3.digitaloceanspaces.com/cloud_billing_v6z.html

Redirect And Tracking Indicators

Affiliate / Tracking Parameters Observed

affid
cjevent
PID
SID
csrc=cj
clickid
lptoken

These parameters confirm affiliate-based monetization rather than credential harvesting.

Final Monetization Endpoint

McAfee Checkout

hxxps://www.mcafee/.com/en-us/ipz/feyncart/2web/payment.html?culture=en-us&moguid=c4b71670-79cc-49cd-bc1e-69f1a705e26c&tm_local_cart_ab_test_variant=tn_xs_small_screen_pop-up_q3_23&ccpubn=en-us:direct:aff:mai&SID=882390700&cjevent=113666eaebd511f0836900670a82b820&affid=1494&csrc=cj&csrcl2=The+Affiliati+Network%2C+LLC&ccoe=direct&ccoel2=am&ccstype=partnerlinks_113666eaebd511f0836900670a82b820&CID=242012&PID=101616859

Malware Analysis, Phishing, and Email Scams

Cybersecurity Blog

Tag: Google Cloud Storage phishing