Security & Privacy

Don’t fall for “iCloud FREE Storage Notice” email scams

Posted on by

A couple weeks ago, we wrote about a scam e-mail alleging that a website had violated image copyrights.

We recently received another interesting message, this time more Apple-specific. It claims that “Your iCloud storage might be full,” and tries to convince the reader to upgrade to 50 GB of storage. However, the e-mail isn’t actually from Apple.

The e-mail contains links that could potentially lead to phishing sites or other scams, malware, or other potentially harmful sites.

What happens if you click on a link in the e-mail?

In our case, the links went to TinyURL short addresses, which in turn redirected to pages hosted at amirlabd[.]com, a domain that was registered in November. In our observations, those amirlabd pages would sometimes attempt to redirect to sites hosted at other domains, for example unanimcar[.]club or octanvolume[.]store, both of which were registered days after the e-mail was sent. This is possible because the first amirlabd URL dynamically changes the next redirection URL in the chain. Other times, the links redirected to seemingly innocuous pages, such as a Fox News RSS feed hosted at the first domain, or the actual homepage of Microsoft’s Bing search engine.

But it’s possible that the e-mail may have originally redirected to something more harmful, shortly after the message was sent. By the time we tested the links, the redirect-URL database may have changed many times. Initially, the links might have led to, for example, a phishing site designed to look like an Apple ID sign-in page.

It’s also entirely possible that the redirections may change based on factors such as the visitor’s browser, operating system, or IP address. We’ve often observed phishing and spam campaigns do exactly that. Harmful sites do this to make it more difficult for anyone investigating the URLs to prove the sites’ dangerousness.

If you’re concerned that your Mac might be infected after visiting a link in an e-mail, download a free trial of VirusBarrier and scan your Mac. (To buy VirusBarrier at a discount, use the exclusive promo link for our blog readers.) If you clicked a suspicious link on a Windows PC, you can scan your PC using Intego Antivirus for Windows.

How to report scam e-mails

If an e-mail like this one isn’t caught by your spam filter, mark it as spam. By doing so, you can help your mail provider identify similar e-mails, which can help them protect other people.

For more tips on reporting scam e-mails, check out our YouTube video, “How to Report Scam Emails.”

The full text of the scam message

Here is the complete text of the email, with the username portion of the address redacted.

Dear #[username]#,

 

Your Cloud storage might be full. When exceeding your storage subscription limit, your photos, documents, contacts and device data will no longer be backed up. Also, your photos and videos will no longer be uploaded to Cloud Photos. Cloud Drive and apps for Cloud will not be updated on your devices.

 

You can continue backing up your photo’s with extra cloud storage, click and receive 50GB storage for free!

 

Get this deal!

Kind regards,
Subscription Team

You can see a screenshot of a similar e-mail at this Italian-language scam database site.

How can I learn more?

We discussed this scam on episode 324 of the Intego Mac Podcast.

Each week on the Intego Mac Podcast, Intego’s Mac security experts discuss the latest Apple news, including security and privacy stories, and offer practical advice on getting the most out of your Apple devices. Be sure to follow the podcast to make sure you don’t miss any episodes.

You can also subscribe to our e-mail newsletter and keep an eye here on The Mac Security Blog for the latest Apple security and privacy news. And don’t forget to follow Intego on your favorite social media channels: Follow Intego on Twitter Follow Intego on Facebook Follow Intego on YouTube Follow Intego on Pinterest Follow Intego on LinkedIn Follow Intego on Instagram Follow the Intego Mac Podcast on Apple Podcasts

About Joshua Long

Joshua Long (@theJoshMeister), Intego's Chief Security Analyst, is a renowned security researcher, writer, and public speaker. Josh has a master's degree in IT concentrating in Internet Security and has taken doctorate-level coursework in Information Security. Apple has publicly acknowledged Josh for discovering an Apple ID authentication vulnerability. Josh has conducted cybersecurity research for more than 25 years, which has often been featured by major news outlets worldwide. Look for more of Josh's articles at security.thejoshmeister.com and follow him on Twitter/X, LinkedIn, and Mastodon. View all posts by Joshua Long →