CAUTION : Cloud Storage Phishing email is a CRIME

It's not just spam, it's an organized cyber crime industry

This Phishing attack hit and we decided to attempt tracking down who sent it. But with the big tech industry players working against us, finding the actual criminal is nearly impossible!
If you get an email that looks like this, do not click!

Here's how we identify cyber crime, fraud, in email . .

1) False sender ID

The first thing Safenetting checks in spam or cyber crime attacks is "who sent the email." A clearly defined law within the "Can Spam Act" (short for Controlling the Assault of Non-Solicited Pornography And Marketing Act of 2003). Under the law, you cannot send commercial email using a “fake” or misleading email address if it misrepresents who is actually sending the message. Boom.

The email was sent from an unknown person using a Google server in Taiwan to mount the attack!

2) Next : we don't have a "cloud drive". Period.

It's suggesting the closure of an account we don't own! The law specifically outlaws “materially false or misleading header information” (who the email is from, routing info, etc.) and specifically

• “deceptive subject lines”
• The law requires truthful identification of the sender and clear opt-out mechanisms

3) CAN-SPAM Act Violations (Primary Email Law)

Under the CAN-SPAM Act, it is illegal to use:

• false or misleading “From”
• deceptive routing / identity information
• The "received from" address is the domain iijgio.jp appears unrelated to the impersonated “Cloud Desk” identity. In fact, when searched in ICANN's WhoIS directory, the domain does not exist. It's fake.
• The email is posing as a cloud storage provider alert
• The server origin shows Google Cloud infrastructure (googleusercontent.com), suggesting domain spoofing or compromised hosting

This is consistent with:

• identity deception (fake sender identity or impersonation)
• potential domain spoofing

What does that mean? It's against the law

CAN-SPAM section violated: 15 U.S.C. § 7704(a)(1) — materially false/misleading header information

Violations: Failure to clearly identify legitimate sender identity

• Subject line does not match the actual account state
• Uses urgency + commercial upsell framing
• Likely designed to induce click-through to phishing page
• This can qualify as: deceptive subject line under CAN-SPAM
• impersonates a “Cloud Desk” / cloud provider
• uses no verifiable corporate identity
• uses a suspicious domain not tied to any known provider

CAN-SPAM requires truthful identification of sender identity in commercial email.

Likely lack of valid opt-out mechanism (functional compliance issue)

• These are not associated with a legitimate known sender organization
• No proof of enforcement of opt-out requests
• In phishing campaigns, unsubscribe links are often tracking or malicious
• CAN-SPAM requires: valid opt-out mechanism
• CAN-SPAM requires: honoring opt-outs within 10 business days

Even if links exist, fraudulent infrastructure can invalidate compliance

Fraud / Phishing Violations (More serious crime than CAN-SPAM)

This email is far more clearly illegal under more fraud statutes than CAN-SPAM.

A. Wire fraud (18 U.S.C. § 1343)

Why this clearly qualifies as Wire fraud

• scheme to defraud
• use of interstate electronic communications (email + web links)
• intent to obtain value (credentials, access, money)

The spam email:

• impersonates a cloud storage provider
• creates urgency (“storage full”)
• directs user to external S3 page likely hosting credential theft

✔ This is classic phishing wire fraud pattern

Above is the SpamCop analysis of the email! Note all the domains that contributed to this Phishing attack. Google cloud is used to send the email, Amazon "Web Services" provides redirect pages and false "unsubscribe" page and CloudFlare is used to mask ownership of the actual cyber crime page. They all helped bring the victim to be defrauded by the crime gang.

B. Computer Fraud and Abuse Act (CFAA)

If the link leads to credential capture or unauthorized access: CFAA may apply because it involves:

• unauthorized access attempts
• inducing users to enter credentials into fake systems

C. FTC Act Section 5 (deceptive practices)

Enforced by the Federal Trade Commission, This email is:

• impersonating a cloud storage provider
• using deceptive urgency
• redirecting to non-affiliated infrastructure (Amazon Web Services (AWS) Simple Storage Service)

➡️ This is a textbook “unfair or deceptive act or practice”

D. Identity deception / impersonation

• Uses fake “Cloud Desk” branding. Tries to fool the victim
• Uses fake storage warning mimicking Google-style UI
• use of Amazon S3 URLs that are unrelated to real service provider

This is typically prosecuted under: fraud statutes, and/or impersonation / phishing-specific enforcement actions. This email is not just “spam with bad links” under CAN-SPAM. It is structurally a phishing + impersonation + credential theft scheme! CAN-SPAM applies, but fraud and deception laws are the real enforcement backbone here.

Bottom line: Who should be arrested and prosecuted?

The entity who should be arrested is the individual or group who operated the phishing infrastructure and used it to obtain or monetize stolen credentials -- but that person cannot be identified from the email alone. If CloudFlare is "not" the actual entity benefiting, they are hiding the criminals by registering and hosting the domain and NS servers. At the end of the day, we cannot find the criminals. It would take law enforcement and a subpoena for CloudFlare, and the actual Registrar.

If you get an email that claims you're cloud storage is full, or your storage cannot be backed up or any of a dozen claims that you need to "log in" -- DO NOT CLICK. DELETE the email immediately. If you feel threatened, then log into the service you use with your official method of logging in. Confirm that there's nothing wrong! Do not fall prey to such crime.

Thank you for reading!

SafeNetting . . . . SafeNetting Content on Medium

NOTE : if you are from LAW ENFORCEMENT and wish to check further, the actual spam, and research dossier is available upon request.

---

REFERENCE LINKS

• CAN-SPAM Act: A Compliance Guide for Business Advertising and Marketing Online
• CAN-SPAM Act: A Full legal text (U.S. law) The CAN-SPAM Act is codified in 15 U.S. Code Chapter 103 (15 U.S.C. §§ 7701–7713). You can read the statute in full on: govinfo (official U.S. government legal database): CAN-SPAM Act on govinfo
• Cornell Legal Information Institute (clean, readable version):15 U.S. Code Chapter 103 - Controlling The Assault of Non-Solicited Pornography And Marketing
• FTC Act Section 5 that apply to a phishing email, the governing law is: Federal Trade Commission Act — 15 U.S.C. § 45 (Section 5)
• Computer Fraud and Abuse Act (CFAA) Cornell Legal Information Institute (clean readable version) often used in phishing cases because it covers: * credential theft schemes * fake login pages * unauthorized access obtained via deception
• Title 18 of the U.S. Federal Code the full U.S. Government Publishing Office official U.S. code

© 1988–2026 · Safe Netting · SafeNetting.com · All rights reserved.

FAIR USE NOTICE: This web site may make use of copyrighted material. Such material are made available for commentary and educational purposes only. This constitutes a "Fair Use" of any such copyrighted material as provided for in TITLE 17 U.S.C. SECTION 106A-117 of the United States Copyright Law.
      Safe Netting, Safenetting.com, all rights reserved, ©2000 through present. Established on the internet in 2000, as part of the User Group Network. Safenetting was launched by brothers Joe Showker and Fred Showker as a community service to help educate the public on the dangers of the internet and connected world ** InfoManager is a trademarks for the User Group Network, ©1994