Key Points:
- Microsoft is taking legal measures against Storm-1152, a group that has allegedly set up around 750 million counterfeit Microsoft accounts, generating millions in illegal revenue.
- The group is believed to have facilitated cybercrime including phishing attacks, identity theft, and distributed denial-of-service (DDoS) assaults.
- Storm-1152’s accounts have been used by multiple threat actors including Octo Tempest and financially motivated actors such as Storm-0252 and Storm-0455.
- The group, active since 2021, has been linked to various websites and pages such as Hotmailbox.me, 1stCAPTCHA, AnyCAPTCHA, and NoneCAPTCHA.
- Microsoft and Arkose Labs collaborated to identify three individuals based in Vietnam who were critical in maintaining this infrastructure.
Microsoft, in its bid to mitigate cybercrime, is taking firm steps against the group called Storm-1152. This group has allegedly produced around 750 million fraudulent Microsoft accounts and tools and sold them over a network of counterfeit websites and social media pages. Resultantly, this has generated them millions in illicit revenue. The cybercrimes facilitated by this group include identity theft and fraud, mass phishing, and distributed denial-of-service (DDoS) attacks.
Mission-critical service (CaaS) offerings, as stated by Microsoft’s Redmond, are designed to dodge identity verification software across various technology platforms. This aids in minimizing the efforts required for executing nefarious online activities, including spamming, phishing, ransomware, and fraud. Consequently, the barriers to enter for attackers are effectively decreased.
These deceitful Microsoft accounts established by Storm-1152 have been exploited by numerous threat actors such as Octo Tempest, also known as Scattered Spider. By using these accounts, these actors have managed to execute data theft, ransomware, and extortion schemes. Additionally, two financially motivated threat actors, Storm-0252 and Storm-0455, purchased fraudulent accounts from Storm-1152 to scale their attacks.
Storm-1152, active since at least 2021, has been associated with various websites and pages, such as Hotmailbox.me for selling fraudulent Microsoft Outlook accounts. Other linked websites include 1stCAPTCHA, AnyCAPTCHA, and NoneCAPTCHA which are offering machine learning-based CAPTCHA solving services to evade identity verification.
In a joint intervention with Arkose Labs, Microsoft managed to identify three individuals based in Vietnam. These individuals, namely Duong Dinh Tu, Linh Van Nguyễn (also known as Nguyễn Van Linh), and Tai Van Nguyen, were critical in developing and maintaining the infrastructure. These individuals not only operated and scripted the code for the illegal websites, but also provided detailed instructions through video tutorials and chat services to help users in exploiting their fraudulent services.