Microsoft on Wednesday said it obtained a court order to seize infrastructure set up by a group called Storm-1152 that peddled roughly 750 million fraudulent Microsoft accounts and tools through a network of bogus websites and social media pages to other criminal actors, netting the operators millions of dollars in illicit revenue.
"Fraudulent online accounts act as the gateway to a host of cybercrime, including mass phishing, identity theft and fraud, and distributed denial-of-service (DDoS) attacks," Amy Hogan-Burney, the company's associate general counsel for cybersecurity policy and protection, said.
These cybercrime-as-a-service (CaaS) offerings, per Redmond, are designed to get around identity verification software across various technology platforms and help minimize the efforts needed to conduct malicious activities online, including phishing, spamming, ransomware, and fraud, effectively lowering the barriers to entry for attackers.
Multiple threat actors, counting Octo Tempest (aka Scattered Spider), are said to have used Storm-1152's accounts to pull off ransomware, data theft, and extortion schemes. Two other financially motivated threat actors that have purchased fraudulent accounts from Storm-1152 to scale their own attacks are Storm-0252 and Storm-0455.
The group, active since at least 2021, has been attributed to the following websites and pages -
The group, active since at least 2021, has been attributed to the following websites and pages -
- Hotmailbox.me for selling fraudulent Microsoft Outlook accounts
- 1stCAPTCHA, AnyCAPTCHA, and NoneCAPTCHA for selling machine learning-based CAPTCHA solving services to bypass identity verification
- Social media pages for advertising the services
