Microsoft says it has successfully dismantled the infrastructure of a cybercrime operation that sold access to fraudulent Outlook accounts to other hackers, including the notorious Scattered Spider gang.
The group, tracked by Microsoft as “Storm-1152,” is described as a major player in the cybercrime as a service (CaaS) ecosystem, whereby criminals provide hacking and cybercrime services to other individuals or groups. Storm-1152 created for sale approximately 750 million fraudulent Microsoft accounts through its “hotmailbox.me” service to earn “millions of dollars in illicit revenue” and cause “millions of dollars in damage to Microsoft,” according to the company. The tech giant described the operation as the “number one seller and creator of fraudulent Microsoft accounts.”
Microsoft described this operation as a “scheme to use Internet ‘bots’ to hack into and deceive Microsoft’s security systems into believing that they are legitimate human consumers of Microsoft services, open Microsoft Outlook email accounts in names of fictitious users, and sell those fraudulent accounts to cybercriminals.”
The group also operated rate solver services for CAPTCHAs, including “1stCAPTCHA,” “AnyCAPTCHA” and “NoneCAPTCHA,” according to Microsoft. Storm-1152 promoted these solvers as a way to bypass any type of CAPTCHA, enabling fraudsters to abuse the online environments of Microsoft and enterprises in other industries.
Microsoft said it had identified several ransomware and extortion groups utilizing Storm-1152’s services, including Octo Tempest, better known as Scattered Spider. Scattered Spider, a now-notorious hacking group believed to be made up of young English-speaking members, was earlier this year linked to a spree of attacks targeting Okta customers in a bid to extract sensitive data. The group also claimed responsibility for the MGM Resorts attack that will cost the hotel and casino giant an estimated $100 million.
Microsoft said in a court order obtained on December 7 that its investigation into Storm-1152 revealed that Scattered Spider hackers also recently committed “massive ransomware attacks against flagship Microsoft customers,” resulting in service disruptions that inflicted hundreds of millions of dollars of damage.
Storm-1152’s services have also been used by cybercriminal groups “to injure not just Microsoft, but numerous other technology companies like X (formerly Twitter) and Google and their customers,” according to the complaint. Google did not immediately respond to TechCrunch’s questions. A message sent to X’s press email received an automated response: “Busy now, please check back later.”
Microsoft announced on Wednesday that it had successfully seized Storm-1152’s U.S.-based infrastructure and domains after obtaining the court order from the Southern District of New York. These measures included seizing hotmailbox.me and disrupting services like 1stCAPTCHA, AnyCAPTCHA and NoneCAPTCHA, as well as targeting the social media accounts used by Storm-1152 for promoting these services.
The company said it had also identified the individuals behind Storm-1152’s operations. These individuals, named Duong Dinh Tu, Linh Van Nguyễn (also known as Nguyễn Van Linh) and Tai Van Nguyen, are based in Vietnam, according to Microsoft.
“With today’s action, our goal is to deter criminal behavior,” said April Hogan-Burney, general manager of Microsoft’s Digital Crimes Unit. “By seeking to slow the speed at which cybercriminals launch their attacks, we aim to raise their cost of doing business while continuing our investigation and protecting our customers and other online users.”
Microsoft was assisted in its takedown of Storm-1152 by San Francisco-based cybersecurity company Arkose Labs, which said it had been tracking the operation since August 2021.
“Storm-1152 is a formidable foe established with the sole purpose of making money by empowering adversaries to commit complex attacks,” Kevin Gosschalk, founder and CEO of Arkose Labs, said in a statement sent to TechCrunch. “The group is distinguished by the fact that it built its CaaS business in the light of day versus on the dark web. Storm-1152 operated as a typical internet going-concern, providing training for its tools and even offering full customer support. In reality, Storm-1152 was an unlocked gateway to serious fraud.”