Microsoft has cracked down on a cybercriminal group known for creating and selling fraudulent Microsoft accounts to other threat groups that they then use for various cybercrime-related activities, from phishing to ransomware attacks. The group, which Microsoft tracks as Storm-1152, has made millions of dollars selling 750 million of these types of accounts to prolific cybercrime groups like Scattered Spider and various ransomware actors.
In response, Microsoft on Dec. 7 obtained a court order from the Southern District of New York allowing the company to seize U.S.-based infrastructure and take websites used by Storm-1152 offline. Microsoft also disrupted a website used to sell fake Microsoft Outlook accounts, called Hotmailbox[.]me, three websites (1stCAPTCHA, AnyCAPTCHA, and NoneCAPTCHA) used to bypass the confirmation methods set up by technology platforms to ensure accounts are created by real people, and the social media sites used to market these services. As part of its takedown efforts, Microsoft worked closely with Arkose Labs, a bot management vendor.
“With today’s action, our goal is to deter criminal behavior,” said Amy Hogan-Burney, general manager, Associate General Counsel, Cybersecurity Policy and Protection at Microsoft. “By seeking to slow the speed at which cybercriminals launch their attacks, we aim to raise their cost of doing business while continuing our investigation and protecting our customers and other online users.”
Threat actors abuse Microsoft accounts as part of various attacks, from distributed denial-of-service (DDoS) attacks to mass phishing and spam attacks. The use of these accounts in many cases help cybercriminals bypass identity verification software and evade detection, and the ability for threat actors to buy these types of accounts in droves - rather than having to set them up themselves - significantly reduces the time and effort of their attacks.
“Storm-1152 plays a significant role in the highly specialized cybercrime-as-a-service ecosystem,” said Hogan-Burney on Wednesday. “Cybercriminals need fraudulent accounts to support their largely automated criminal activities. With companies able to quickly identify and shut down fraudulent accounts, criminals require a greater quantity of accounts to circumvent mitigation efforts. Instead of spending time trying to create thousands of fraudulent accounts, cybercriminals can simply purchase them from Storm-1152 and other groups.”
Researchers with Microsoft Threat Intelligence and the Arkose Cyber Threat Intelligence Research unit analyzed the malicious U.S.-based infrastructure used by Storm-1152, and as part of this investigation they were able to expose the identities of several key actors behind the threat group and submit a related criminal referral to U.S. law enforcement. These individuals include Duong Dinh Tu, Linh Van Nguyễn (also known as Nguyễn Van Linh), and Tai Van Nguyen, all based in Vietnam, said Microsoft.
“Our findings show these individuals operated and wrote the code for the illicit websites, published detailed step-by-step instructions on how to use their products via video tutorials and provided chat services to assist those using their fraudulent services,” according to Microsoft.
Microsoft’s announcement comes as technology providers hunt for new ways to step up their defense strategies in order to prevent threat groups from leveraging legitimate cloud storage, email and messaging platforms in their cyberattacks. Microsoft, for instance, announced last year it had suspended 20 malicious OneDrive applications associated with an operational group based in Lebanon. This disruption is different, however, because it hits at the group that’s actually behind the sale of these types of fraudulent accounts. While Microsoft’s disruption activity doesn’t fully stomp out Storm-1152, it does deal a blow to the threat group’s activities.
“We are sending a strong message to those who seek to create, sell or distribute fraudulent Microsoft products for cybercrime: We are watching, taking notice and will act to protect our customers,” said Hogan-Burney.