Microsoft Corp. has shut down the U.S.-based infrastructure of a cybercrime group that created more than 750 million fraudulent accounts across the company’s services.
Microsoft carried out the takedown, which it detailed on Wednesday, with the help of a venture-backed cybersecurity provider called Arkose Labs Inc. The latter company sells a cloud platform that helps enterprises block fraud and hacking campaigns targeting their services. The threat actor Microsoft has disrupted, in turn, is tracked as Storm-1152.
Many hacker groups’ modus operandi is to create fraudulent accounts in services such as Microsoft Outlook and use them for phishing or spam campaigns. Additionally, fraudulent accounts are sometimes used to launch distributed denial-of-service, or DDoS, attacks. Hackers often don’t create such accounts themselves but rather buy them from so-called cybercrime-as-a-service groups such as Storm-1152, the threat actor that Microsoft has disrupted.
The company believes that Storm-1152 was the “number one seller” of fraudulent Microsoft accounts. It’s estimated that the group opened 750 million such accounts and also created fake users across other companies’ services. Moreover, Storm-1152 sold software for bypassing CAPTCHAs, the tests used by many online services to verify a login request came from a human and not a bot.
Microsoft says that the fraudulent accounts created by Storm-1152 powered the hacking campaigns of multiple cybercrime groups. It’s believed that one of those groups is Scattered Spider, the threat actor responsible for the high-profile cyberattacks against Caesars Entertainment Inc. and MGM Resorts International earlier this year. Microsoft’s analysis suggests that Storm-1152 generated millions of dollars in illicit revenue and incurred even higher costs for the companies that worked to block its activities.
The cybercrime infrastructure that Microsoft disrupted included a website through which Storm-1152 sold fake Outlook accounts. Additionally, the company shut down three other websites that the group used to sell its CAPTCHA bypass service as well as host the service’s software components.
“While our case focuses on fraudulent Microsoft accounts, the websites impacted also sold services to bypass security measures on other well-known technology platforms,” Amy Hogan-Burney, Microsoft’s general manager and associate general counsel for cybersecurity policy and protection, wrote in a blog post. “Today’s action therefore has a broader impact, benefiting users beyond Microsoft.”
The company disrupted the four websites by obtaining an order from a federal court in the Southern District of New York to seize them. As part of its effort to counter Storm-1152’s activities, Microsoft has also uncovered that the group is run by three individuals named Duong Dinh Tu, Linh Van Nguyễn and Tai Van Nguyen who are based in Vietnam. The company said that it has referred its findings to law enforcement.
Microsoft’s effort to disrupt Storm-1152 had multiple elements. According to Hogan-Burney, the company analyzed telemetry and made “undercover test purchases” to pinpoint the group’s malicious infrastructure in the U.S. Microsoft also drew on data collected by its in-house threat intelligence unit and Arkose researchers to build its legal case.
“Today’s action is a continuation of Microsoft’s strategy of taking aim at the broader cybercriminal ecosystem and targeting the tools cybercriminals use to launch their attacks,” Hogan-Burney wrote. “We have also partnered with other organizations across the industry to increase intelligence sharing on fraud and further enhance our artificial intelligence and machine learning algorithms that quickly detect and flag fraudulent accounts.”
