Microsoft has disrupted the activities of a cybercrime outfit that created over 750 million fraudulent Microsoft accounts, the tech giant announced on Wednesday.
The Vietnam-based group, codenamed Storm-1152, is the “number one seller and creator of fraudulent Microsoft accounts,” Microsoft said. The group also sells tools that allow cybercriminals to bypass CAPTCHA and other identity verification systems.
In a joint operation with Arkose Labs this month, Microsoft’s Digital Crimes Unit seized US-based infrastructure linked to Storm-1152 following a court order authorizing the company to do so. The tech giant also shut down the group’s websites.
Storm-1152’s services allowed cybercriminals to launch phishing, identity theft, ransomware attacks, and other malicious schemes, targeting countless individuals and organizations across various industries.
“We are sending a strong message to those who seek to create, sell or distribute fraudulent Microsoft products for cybercrime: We are watching, taking notice and will act to protect our customers,” Microsoft said in a blog post.
A ‘Formidable Foe’
According to Arkose Labs, Storm-1152’s services allowed less “technically adept” cybercriminals to launch cyberattacks targeting individuals and organizations. The group initially offered “CAPTCHA solver services” before adding fake Microsoft accounts to its product catalog, Arkose Labs revealed in a blog post.
Storm-1152 deployed “bots to register phony Microsoft accounts using fictitious usernames and then selling the fake accounts in bulk to other fraudsters so that they could use the accounts for a variety of online attacks like phishing, malware, romance scams, in-product abuse, etc,” Arkose said. “Storm-1152 earned millions of dollars through these illicit activities, which are predicate offenses to financial crimes like money laundering.”
Storm-1152 didn’t just offer these illegal services but also published videos detailing how to use their products. They even provided chat services to assist their customers. Microsoft has identified several of these customers, like Octo Tempest (a.k.a Scattered Spider), and continues to track them.
The US-based infrastructure linked to Storm-1152 that is now offline includes websites like Hotmailbox.me (used to sell fraudulent Microsoft Outlook accounts) and others like 1stCAPTCHA, AnyCAPTCHA, and NoneCAPTCHA (used to offer CAPTCHA-solving and other identity verification services). Microsoft also took down the group’s social media pages where they marketed their illicit services.
The Cybercrime-as-a-Service Business
Until a few years ago, Cybercrime-as-a-Service (CaaS) was a “relatively unknown,” but it’s now a major threat, Arkose said. CaaS businesses, like Storm-1152, offer specialized hacking and spamming services on a subscription or pay-per-use basis.
CaaS businesses usually operate on the dark web. However, Storm-1152 did not try to hide. Duong Dinh Tu — one of the suspects linked to the group — even had a YouTube channel where he showcased video demonstrations of the group’s services.
“The group is distinguished by the fact that it built its CaaS business in the light of day versus on the dark web. Storm-1152 operated as a typical internet going-concern, providing training for its tools and even offering full customer support. In reality, Storm-1152 was an unlocked gateway to serious fraud,” founder and CEO of Arkose Labs Kevin Gosschalk said.
How to Protect Yourself From Online Threats
While this crackdown will deliver a blow to Storm-1152, Microsoft predicts that the group will “adapt their techniques.” Our cybersecurity experts put together these precautionary measures to help you stay safe from evolving online threats:
- Be extra cautious about any unusual activity on your online accounts. This includes unexpected password reset emails, unfamiliar device login alerts, or any changes to account settings that you did not initiate.
- Be wary of emails asking for personal information, especially those that include attachments or links. Verify the sender’s authenticity before responding or clicking.
- Train yourself to recognize sophisticated phishing attempts that may not be immediately obvious. This includes understanding the subtleties of domain spoofing, where a malicious website mimics a legitimate one.
- Use a premium antivirus service like Norton AntiVirus.
- Always create a strong password for each of your accounts.
For organizations, we recommend:
- If you manage a website, ensure that your CAPTCHA system is robust and capable of thwarting automated bots. Consider using advanced CAPTCHA technologies that are harder for automated solvers to bypass.
- Keep your cybersecurity efforts up-to-date, especially in relation to identity verification and account creation processes.
- Deploy advanced bot management solutions that can detect and mitigate automated traffic.
- Implement rigorous access controls.
For more news, follow us on X (Twitter), Threads, and Mastodon!
