Microsoft foiled a Vietnam-based threat group that has created 750 million fraudulent Microsoft accounts, the company announced.
The move follows a court order issued by the Southern District of New York allowing the company to seize U.S.-based infrastructure and websites used by the cybercrime-as-a-service group, known as Storm-1152, which Microsoft said is the “number one seller and creator of fraudulent Microsoft accounts.”
Microsoft took down Hotmailbox.me (a marketplace for fraudulent Microsoft Outlook accounts) 1stCaptcha, AnyCaptcha and NoneCaptcha, which sold identity verification bypass tools, as well as the social media sites used to market these services.
“Storm-1152 runs illicit websites and social media pages, selling fraudulent Microsoft accounts and tools to bypass identity verification software across well-known technology platforms,” wrote Amy Hogan-Burney, general manager and associate general counsel of cybersecurity policy and protection for Microsoft. “These services reduce the time and effort needed for criminals to conduct a host of criminal and abusive behaviors online.”
The group, said Microsoft, is at the heart of the cybercrime-as-a-service ecosystem, supplying huge numbers of accounts to cybercriminals that then use them for phishing, spamming, ransomware and other types of fraud and abuse.
Microsoft identified some of the criminals using Storm-1152 accounts, including Octo Tempest, also known as Scattered Spider, a financially motivated cybercrime group that leverages broad social engineering campaigns to compromise organizations around the world. Others include ransomware groups Storm-0252 and Storm-0455.
“Storm-1152 is a formidable foe established with the sole purpose of making money by empowering adversaries to commit complex attacks,” said Kevin Gosschalk, founder and CEO of Arkose Labs, which worked with Microsoft on the investigation.
“The group is distinguished by the fact that it built its CaaS business in the light of day versus on the dark web,” he added. “Storm-1152 operated as a typical internet going concern, providing training for its tools and even offering full customer support. In reality, Storm-1152 was an unlocked gateway to serious fraud.”
The group’s CaaS business initially sold fraudsters ready-made, rote-solver services for Captchas, claiming they could could bypass any type of Captcha. It later started using bots to register fake Microsoft accounts which it sold in bulk to other fraudsters for online attacks such as phishing, malware, romance scams and in-product abuse. It earned millions of dollars this way, said Arkose.
Microsoft said it’s been able to identify the individuals who operated and wrote the code for the illicit websites, published detailed step-by-step instructions on how to use their products via video tutorials and provided chat services to assist those using their fraudulent services. Microsoft submitted a criminal referral to U.S. law enforcement, the company said.
But, warned Hogan-Burney, “As we’ve said before, no disruption is complete in one day. Going after cybercrime requires persistence and ongoing vigilance to disrupt new malicious infrastructure. While today’s legal action will impact Storm-1152’s operations, we expect other threat actors will adapt their techniques as a result.”
