Microsoft disrupts cyber criminals who created 750 million fraudulent accounts

On Wednesday, Microsoft revealed the disruption of Storm-1152, a cybercrime-as-a-service (CaaS) network responsible for generating 750 million fraudulent Microsoft accounts utilized in phishing, identity theft, and various illicit activities.

This CaaS entity reportedly amassed millions in illegal revenue by supplying fake accounts to other cybercrime groups, facilitating activities such as phishing, spam, ransomware, distributed denial-of-service (DDoS) attacks, and more.

Microsoft disclosed that Storm-1152 operated unlawful websites and social media pages, vending counterfeit Microsoft accounts and tools designed to circumvent identity verification software on popular technology platforms. These services streamlined criminal activities online by minimizing the time and effort required.

Among the clients of Storm-1152 was Octo Tempest, also known as Scattered Spider, 0ktapus, and UNC3944, which employed the fraudulent accounts in social engineering attacks for financial extortion. Other ransomware or extortion groups, including Storm-0252 and Storm-0455, also purchased accounts from this CaaS.

Collaborating with Arkose Labs, a bot management and account security firm monitoring Storm-1152 since August 2021, Microsoft collected intelligence on the CaaS’s operations and infrastructure. Subsequently, Microsoft obtained a court order on December 7, enabling the takeover of the CaaS’s US-based infrastructure, including domains like Hotmailbox[.]me, 1stCAPTCHA, AnyCAPTCHA, and NoneCAPTCHA, as well as social media accounts promoting illicit services.

Furthermore, Microsoft revealed the identities of three individuals believed to be running Storm-1152—Duong Dinh Tu, Linh Van Nguyễn (aka Nguyễn Van Linh), and Tai Van Nguyen—all located in Vietnam. Microsoft’s investigation showed that these individuals not only operated and coded for the illicit websites but also provided instructions through video tutorials and chat services to users of their fraudulent services.

The initial discovery of Storm-1152’s activities was made by Arkose Labs, prompting joint investigations with Microsoft. Together, they collected tactics, techniques, and procedures associated with the threat actor to identify its infrastructure.

Arkose Labs reported that Storm-1152 adapted its business model to evade protective measures, including switching between CAPTCHA solver services. Microsoft initiated a lawsuit against the individuals on behalf of its millions of customers potentially affected by the attacks, with support from Arkose Labs and detailed evidence submitted to law enforcement agencies.