Microsoft on Wednesday announced the disruption of Storm-1152, a cybercrime-as-a-service (CaaS) ecosystem that created 750 million fraudulent Microsoft accounts in support of phishing, identity theft, and other schemes.
The CaaS is believed to have made millions of dollars in illicit revenue by creating fraudulent accounts for other cybercrime groups to use in phishing, spam, ransomware, distributed denial-of-service (DDoS), and other types of attacks.
“Storm-1152 runs illicit websites and social media pages, selling fraudulent Microsoft accounts and tools to bypass identity verification software across well-known technology platforms. These services reduce the time and effort needed for criminals to conduct a host of criminal and abusive behaviors online,” Microsoft notes.
One of Storm-1152’s customers has been Octo Tempest, also known as Scattered Spider, 0ktapus, and UNC3944, which has used the fraudulent accounts in social engineering attacks aimed towards financial extortion. Storm-0252, Storm-0455, and other ransomware or extortion groups also purchased accounts from the CaaS.
With help from bot management and account security firm Arkose Labs, which has been tracking Storm-1152 since August 2021, Microsoft gathered intelligence on the CaaS and its activities and infrastructure, which it then used to obtain a court order to seize the cybercrime ring’s US-based infrastructure.
Issued on December 7, the court order allowed Microsoft to take over domains such as Hotmailbox[.]me, 1stCAPTCHA, AnyCAPTCHA, and NoneCAPTCHA, as well as social media accounts that the CaaS has been using to promote the illicit services.
Additionally, Microsoft has revealed the identity of three individuals believed to be operating Storm-1152, namely Duong Dinh Tu, Linh Van Nguyễn (aka Nguyễn Van Linh), and Tai Van Nguyen, all based in Vietnam.
“Our findings show these individuals operated and wrote the code for the illicit websites, published detailed step-by-step instructions on how to use their products via video tutorials and provided chat services to assist those using their fraudulent services,” Microsoft explains.
Storm-1152’s activities first caught the eye of Arkose Labs, which started investigating the group and reported the findings to Microsoft. Together, the two companies started collecting tactics, techniques, and procedures (TTPs) associated with the threat actor, to identify its infrastructure.
According to Arkose Labs, Storm-1152 has been observed pivoting their business model to circumvent protective measures deployed against it, including switching between CAPTCHA solver services.
“Microsoft filed a lawsuit against the individuals on behalf of its millions of customers who may have been targeted and harmed by the attacks. Arkose Labs is supporting Microsoft with our detailed evidence of the attacks,” Arkose Labs notes.
The two companies also reported their findings to law enforcement.
