Microsoft on Wednesday announced that it has seized illicit websites and social media pages belonging to Vietnam-based cybercrime group Storm-1152 created approximately 750 million fraudulent Outlook accounts, and earned millions of dollars in illegal revenue.
The Redmond giant calls Storm-1152, a cybercrime-as-a-service (CaaS) ecosystem, “the number one seller and creator of fraudulent Microsoft accounts” who sold them online to other cybercriminals to bypass identity verification software across well-known technology platforms.
These accounts were used for several malicious activities, including mass phishing, identity theft and fraud, and distributed denial of service (DDoS) attacks.
“Storm-1152 runs illicit websites and social media pages, selling fraudulent Microsoft accounts and tools to bypass identity verification software across well-known technology platforms. These services reduce the time and effort needed for criminals to conduct a host of criminal and abusive behaviors online,” Amy Hogan-Burney, the General Manager of Microsoft’s Digital Crimes Unit (DCU), wrote in a blog post.
According to Microsoft, Octo Tempest, also known as Scattered Spider, is one of Storm-1152’s customers who obtained fraudulent Microsoft accounts to carry out social engineering attacks aimed towards financial extortion. Besides Octo Tempest, threat actors such as Storm-0252, Storm-0455, and other ransomware or extortion groups also purchased fraudulent accounts from Storm-1152.
On December 7, 2023, the Redmond giant obtained a court order from the Southern District of New York to seize the cybercrime ring’s U.S. based infrastructure built on the intelligence gathered on the CaaS and its activities and infrastructure by Microsoft and bot management and account security firm Arkose Labs.
“Since at least 2021, the Defendants have been engaged in a scheme to obtain millions of Microsoft Outlook email accounts in the names of fictitious users based on a series of false representations, and then sell these fraudulent accounts to malicious actors for use in various types of cybercrime,” according to the complaint.
Based on the order, Microsoft took over domains such as Hotmailbox[.]me, 1stCAPTCHA, AnyCAPTCHA, and NoneCAPTCHA, as well as social media accounts that were used by Storm-1152 to harm the company’s customers and cause damages worth hundreds of millions of dollars.
The company has also sued three individuals – Duong Dinh Tu, Linh Van Nguyen (a/k/a Nguyen Van Linh), and Tai Van Nguyen – all based in Vietnam and believed to be operating Storm-1152.
“Our findings show these individuals operated and wrote the code for the illicit websites, published detailed step-by-step instructions on how to use their products via video tutorials and provided chat services to assist those using their fraudulent services,” added Amy Hogan-Burney.
“Today’s action is a continuation of Microsoft’s strategy of taking aim at the broader cybercriminal ecosystem and targeting the tools cybercriminals use to launch their attacks. It builds on our expansion of a legal method used successfully to disrupt malware and nation-state operations.”