Microsoft Seizes Websites That Created Millions Of Fake Accounts

Microsoft says it’s foiled a Vietnam-based threat group that has created 750 million fraudulent Microsoft accounts.

The move follows the issuing of a court order by the Southern District of New York allowing the company to seize U.S.-based infrastructure and websites used by the group, known as Storm-1152 – which is says is the ‘number one seller and creator of fraudulent Microsoft accounts’.

It’s now taken down Hotmailbox.me, a marketplace for fraudulent Microsoft Outlook accounts; 1stCaptcha, AnyCaptcha, and NoneCaptcha, which sold identity verification bypass tools; and the social media sites used to market these services.

“Storm-1152 runs illicit websites and social media pages, selling fraudulent Microsoft accounts and tools to bypass identity verification software across well-known technology platforms,” wrote Amy Hogan-Burney, general manager, associate general counsel, cybersecurity policy and protection for Microsoft.

“These services reduce the time and effort needed for criminals to conduct a host of criminal and abusive behaviors online.”

The group, says Microsoft, is at the heart of the cybercrime-as-a-service ecosystem, supplying huge numbers of accounts to cybercriminals that then use them for phishing, spamming, ransomware and other types of fraud and abuse.

Microsoft’s identified some of the criminals using Storm-1152 accounts, including Octo Tempest, also known as Scattered Spider, a financially-motivated cybercrime group that leverages broad social engineering campaigns to compromise organizations around the world. Others include ransomware groups Storm-0252 and Storm-0455.

“Storm-1152 is a formidable foe established with the sole purpose of making money by empowering adversaries to commit complex attacks,” said Kevin Gosschalk, founder and CEO of Arkose Labs, which worked with Microsoft on the investigation.

“The group is distinguished by the fact that it built its CaaS business in the light of day versus on the dark web. Storm-1152 operated as a typical internet going concern, providing training for its tools and even offering full customer support. In reality, Storm-1152 was an unlocked gateway to serious fraud.”

The group’s CaaS business initially sold fraudsters ready-made, rote solver services for Captchas, claiming they could could bypass any type of Captcha. It later started using bots to register fake Microsoft accounts which it sold in bulk to other fraudsters for online attacks such as phishing, malware, romance scams and in-product abuse. It earned millions of dollars this way, says Arkose.

Microsoft says it’s been able to identify the individuals who operated and wrote the code for the illicit websites, published detailed step-by-step instructions on how to use their products via video tutorials and provided chat services to assist those using their fraudulent services. It’s submitted a criminal referral to U.S. law enforcement, it says.

But, warns Hogan-Burney, “As we’ve said before, no disruption is complete in one day. Going after cybercrime requires persistence and ongoing vigilance to disrupt new malicious infrastructure. While today’s legal action will impact Storm-1152’s operations, we expect other threat actors will adapt their techniques as a result.”