Microsoft says it has successfully dismantled the infrastructure of a cybercrime operation that sold access to fraudulent Outlook accounts to other hackers, including the notorious Scattered Spider gang.
The group, tracked by Microsoft as “Storm-1152”, is described as a major player in the cybercrime-as-a-service (CaaS) ecosystem, where criminals provide hacking and cybercrime services to other individuals or groups. Storm-1152 created approximately 750 million fraudulent Microsoft accounts for sale through the “hotmailbox.me” service to earn “millions of dollars in illegal revenue” and cause “millions of dollars in damage to Microsoft,” according to the company. The tech giant described the business as “the number one seller and creator of fraudulent Microsoft accounts.”
Microsoft described this feature as “a scheme to use Internet ‘bots’ to breach and trick Microsoft’s security systems into thinking they are legitimate consumers of Microsoft services, open Microsoft Outlook email accounts under fictitious user names and sell these fraudulent accounts to cybercriminals.”
The group also operated rate solving services for CAPTCHAs, including “1stCAPTCHA,” “AnyCAPTCHA,” and “NoneCAPTCHA,” according to Microsoft. Storm-1152 promoted these solvers as a way to bypass any type of CAPTCHA, allowing fraudsters to abuse the online environments of Microsoft and businesses in other industries.
Microsoft said it had identified several ransomware and extortion groups using Storm-1152’s services, including Octo Tempest, better known as Scattered Spider. Scattered Spider, a now-infamous hacking group believed to be made up of young English-speaking members, was linked earlier this year to a spree of attacks targeting Okta customers in an attempt to extract sensitive data. The group also claimed responsibility for the attack on MGM Resorts that will cost the hotel and casino giant about $100 million.
Microsoft told one court order received on Dec. 7 that its investigation into Storm-1152 revealed that Scattered Spider hackers had also recently carried out “massive ransomware attacks against top Microsoft customers,” resulting in service outages that caused hundreds of millions of dollars in damage.
Storm-1152’s services have also been used by cybercriminal groups “to harm not only Microsoft, but many other technology companies such as X (formerly Twitter) and Google and their customers,” according to the complaint. Google did not immediately respond to TechCrunch’s questions. A message sent to X’s guy’s email got an automated reply: “Busy now, check back later.”
Microsoft announced on Wednesday that it has successfully seized the infrastructure and domains of US-based Storm-1152 after receiving a court order from the Southern District of New York. These measures included seizing hotmailbox.me and stopping services such as 1stCAPTCHA, AnyCAPTCHA and NoneCAPTCHA, as well as targeting social media accounts used by Storm-1152 to promote these services.
The company said it had also identified the people behind Storm-1152’s operations. Those individuals, named Duong Dinh Tu, Linh Van Nguyễn (also known as Nguyễn Van Linh) and Tai Van Nguyen, are based in Vietnam, according to Microsoft.
“With our action today, our goal is to prevent criminal behavior,” said April Hogan-Burney, general manager of Microsoft’s Digital Crimes Unit. “By trying to slow the speed at which cybercriminals launch their attacks, we aim to increase their cost of doing business while we continue our investigation and protect our customers and other online users.”
Microsoft was helped to take down Storm-1152 by San Francisco-based cybersecurity firm Arkose Labs, which said it had been monitoring the operation since August 2021.
“Storm-1152 is a formidable enemy created with the sole purpose of making money by enabling adversaries to carry out sophisticated attacks,” Kevin Gosschalk, founder and CEO of Arkose Labs, said in a statement sent to TechCrunch. “The group is distinguished by the fact that it built its CaaS business in daylight versus the dark web. Storm-1152 acted as a standard online office, providing training on its tools and even full customer support. In effect, Storm-1152 was an unlocked gateway to serious fraud.’
