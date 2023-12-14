Logo of Microsoft Outlook software. (Photo by Thomas Trutschel/Phototheque via Getty Images) Phototheque via Getty Images

Microsoft says it has disrupted a threat group based in Vietnam that created 750 million fraudulent Microsoft accounts.

The move comes after the Southern District of New York issued a court order allowing the company to seize US-based infrastructure and websites used by the group, known as Storm-1152. Known for – Which is said to be the ‘number one seller and manufacturer’. Fraudulent Microsoft accounts’.

It has now been removed from Hotmailbox.me, the marketplace for fraudulent Microsoft Outlook accounts; 1stCaptcha, AnyCaptcha, and NoneCaptcha, which sold identity verification bypass tools; And social media sites used to market these services.

Amy Hogan-Burney, general manager of cybersecurity policy and security for Microsoft, wrote, “Storm-1152 runs illicit websites and social media pages that fraudulently use Microsoft to bypass identity verification software on well-known technology platforms. Sells accounts and tools.” ,

“These services reduce the time and effort required for criminals to conduct many criminal and abusive behaviors online.”

Microsoft says the group is at the center of a cybercrime-as-a-service ecosystem, supplying large numbers of accounts to cybercriminals who then use them for phishing, spamming, ransomware and other types of fraud and abuse. We do.

Microsoft has identified some criminals using Storm-1152 accounts, including Octo Tempest, also known as Scattered Spider, a financially motivated cybercrime group that seeks to compromise organizations around the world. Takes advantage of extensive social engineering campaigns to. Others include the ransomware families Storm-0252 and Storm-0455.

Kevin Goshawk, founder and CEO of Arkos Labs, which worked with Microsoft on the investigation, said, “Storm-1152 is a formidable adversary that has been established with the sole purpose of making money by empowering adversaries to conduct complex attacks.”

“The group is distinguished by the fact that it built its CaaS business in the daylight versus on the dark web. Storm-1152 operates as a typical Internet going concern, providing training for its equipment and even ​​​That also provides full customer support. In fact, Storm-1152 was an open gateway to serious fraud.”

The group’s CaaS business initially sold ready-made, rote solver services for CAPTCHAs to fraudsters, claiming they could bypass any type of CAPTCHA. It later began using bots to register fake Microsoft accounts, which it sold in bulk to other fraudsters for online attacks such as phishing, malware, romance scams, and in-product abuse. “That’s how it made millions of dollars,” Arkos says.

Microsoft says it has been able to identify individuals who operated and wrote code for illegal websites, publish detailed step-by-step instructions on how to use its products through video tutorials, and monitor its fraud services. Provided chat services to assist users. It said it presented a criminal reference to US law enforcement.

But, Hogan-Burney cautions, “As we’ve said before, no disruption is accomplished in a day. Disrupting new malicious infrastructure following a cybercrime requires tenacity and constant vigilance. “While today’s legal action will impact the operations of Storm-1152, we expect other threat actors to adopt its technologies as a result.”