Microsoft claims to have successfully dismantled the infrastructure of a cybercrime operation that sold access to bogus Outlook accounts to other hackers, including the notorious Scattered Spider gang.
The group, dubbed “Storm-1152” by Microsoft, is described as a major player in the cybercrime as a service (CaaS) ecosystem, in which criminals offer hacking and cybercrime services to other individuals or groups. Storm-1152 used its “hotmailbox.me” service to sell approximately 750 million fraudulent Microsoft accounts in order to earn “millions of dollars in illicit revenue” and cause “millions of dollars in damage to Microsoft,” according to the company. According to the tech giant, the operation is the “number one seller and creator of fraudulent Microsoft accounts.”
This attack was described by Microsoft as a “scheme to use Internet ‘bots’ to hack into and deceive Microsoft’s security systems into believing that they are legitimate human consumers of Microsoft services, open Microsoft Outlook email accounts in names of fictitious users, and sell those fraudulent accounts to cybercriminals.”
According to Microsoft, the group also provided rate solver services for CAPTCHAs such as “1stCAPTCHA,” “AnyCAPTCHA,” and “NoneCAPTCHA.” Storm-1152 promoted these solvers as a way to avoid any type of CAPTCHA, allowing fraudsters to abuse Microsoft’s and other enterprises’ online environments.
Microsoft stated that several ransomware and extortion groups, including Octo Tempest, also known as Scattered Spider, were using Storm-1162’s services. Scattered Spider, a now-famous hacking group made up of young English-speaking members, was linked earlier this year to a wave of attacks targeting Okta customers in an attempt to extract sensitive data. The group also claimed responsibility for the MGM Resorts attack, which is expected to cost the hotel and casino giant $100 million.
According to a court order obtained on December 7, Microsoft’s investigation into Storm-1152 revealed that Scattered Spider hackers recently committed “massive ransomware attacks against flagship Microsoft customers,” resulting in service disruptions costing hundreds of millions of dollars.
Storm-1152’s services have also been used by cybercriminal groups “to injure not just Microsoft, but numerous other technology companies like X (formerly Twitter) and Google and their customers,” according to the complaint. Google did not respond immediately to TechCrunch’s inquiries. An automated response was sent to X’s press email: “Busy now, please check back later.”
After obtaining a court order from the Southern District of New York, Microsoft announced on Wednesday that it had successfully seized Storm-1152’s US-based infrastructure and domains. These actions included seizing hotmailbox.me and disrupting services such as 1stCAPTCHA, AnyCAPTCHA, and NoneCAPTCHA, as well as targeting Storm-1152’s social media accounts for promoting these services.
Storm-1152’s operators had also been identified, according to the company. According to Microsoft, these individuals are named Duong Dinh Tu, Linh Van Nguyn (also known as Nguyn Van Linh), and Tai Van Nguyen and are based in Vietnam.
“With today’s action, our goal is to deter criminal behavior,” April Hogan-Burney, general manager of Microsoft’s Digital Crimes Unit said. “By seeking to slow the speed at which cybercriminals launch their attacks, we aim to raise their cost of doing business while continuing our investigation and protecting our customers and other online users.”
Microsoft was assisted in its takedown of Storm-1152 by San Francisco-based cybersecurity company Arkose Labs, which said it had been tracking the operation since August 2021.
“Storm-1152 is a formidable foe established with the sole purpose of making money by empowering adversaries to commit complex attacks,” Kevin Gosschalk, founder and CEO of Arkose Labs, said in a statement sent to TechCrunch. “The group is distinguished by the fact that it built its CaaS business in the light of day versus on the dark web. Storm-1152 operated as a typical internet going-concern, providing training for its tools and even offering full customer support. In reality, Storm-1152 was an unlocked gateway to serious fraud.”
