Microsoft claims to have effectively removed the infrastructure of a cybercrime organization that provided access to bogus Outlook accounts to other hackers, including the renowned Scattered Spider gang.
The gang, dubbed “Storm-1152” by Microsoft, is regarded as a prominent actor in the cybercrime as a service (CaaS) ecosystem, in which criminals provide hacking and cybercrime services to other people or groups. Storm-1152 used its “hotmailbox.me” website to sell nearly 750 million phony Microsoft accounts in order to generate “millions of dollars in illicit revenue” and inflict “millions of dollars in damage to Microsoft,” according to the firm. According to the IT giant, the operation is the “number one seller and creator of fraudulent Microsoft accounts.”
This attack was described by Microsoft as a “scheme to use Internet ‘bots’ to hack into and deceive Microsoft’s security systems into believing that they are legitimate human consumers of Microsoft services, open Microsoft Outlook email accounts in the names of fictitious users, and sell those fraudulent accounts to cybercriminals.”
According to Microsoft, the organization also provided rate solver services for CAPTCHAs such as “1stCAPTCHA,” “AnyCAPTCHA,” and “NoneCAPTCHA.” Storm-1152 touted these solvers as a technique to avoid any form of CAPTCHA, allowing fraudsters to attack Microsoft’s and other organizations’ online environments.
Microsoft said that many ransomware and extortion outfits, including Octo Tempest, also known as Scattered Spider, were using Storm-1162’s services. Scattered Spider, a now-famous hacking organization made up of young English-speaking individuals, was connected earlier this year to a wave of assaults targeting Okta customers in an attempt to harvest sensitive data. The organization also claimed responsibility for the MGM Resorts hack, which is expected to cost the hotel and gambling behemoth $100 million.
According to a court order obtained on December 7, Microsoft’s investigation into Storm-1152 revealed that Scattered Spider hackers recently committed “massive ransomware attacks against flagship Microsoft customers,” resulting in service disruptions costing hundreds of millions of dollars.
Storm-1152’s services have also been utilized by cybercriminal gangs “to injure not just Microsoft but numerous other technology companies like X (formerly Twitter) and Google and their customers,” according to the lawsuit. Google did not reply quickly to Eltry’s inquiries. An automatic answer was issued to X’s press email: “Busy now, please check back later.”
After securing a court order from the Southern District of New York, Microsoft stated on Wednesday that it had effectively seized Storm-1152’s US-based infrastructure and domains. These actions included seizing hotmailbox.me and disrupting services such as 1stCAPTCHA, AnyCAPTCHA, and NoneCAPTCHA, as well as attacking Storm-1152’s social media accounts for advertising these services.
Storm-1152’s operators have also been identified, according to the business. According to Microsoft, these persons are called Duong Dinh Tu, Linh Van Nguyn (also known as Nguyn Van Linh), and Tai Van Nguyen and are based in Vietnam.
“With today’s action, our goal is to deter criminal behavior,” said April Hogan-Burney, general manager of Microsoft’s Digital Crimes Unit. “By seeking to slow the speed at which cybercriminals launch their attacks, we aim to raise their cost of doing business while continuing our investigation and protecting our customers and other online users.”
Microsoft was supported in taking down Storm-1152 by Arkose Labs, a San Francisco-based cybersecurity firm that stated it has been following the operation since August 2021.
“Storm-1152 is a formidable foe established with the sole purpose of making money by empowering adversaries to commit complex attacks,” Arkose Labs founder and CEO Kevin Gosschalk stated in a statement to Eltrys. The fact that the company built its CaaS business in the open rather than on the dark web sets it apart. Storm-1152 functioned as a conventional online concern, giving tool training and even complete customer support. Storm 1152, in fact, was an open door to major fraud.”
