Microsoft Takes Legal Action to Crack Down on Storm-1152’s Cybercrime Network

Microsoft on Wednesday said it obtained a court order to seize infrastructure set up by a group called Storm-1152 that peddled roughly 750 million fraudulent Microsoft accounts and tools through a network of bogus websites and social media pages to other criminal actors, netting the operators millions of dollars in illicit revenue.

“Fraudulent online accounts act as the gateway to a host of cybercrime, including mass phishing, identity theft and fraud, and distributed denial-of-service (DDoS) attacks,” Amy Hogan-Burney, the company’s associate general counsel for cybersecurity policy and protection, said.

These cybercrime-as-a-service (CaaS) offerings, per Redmond, are designed to get around identity verification software across various technology platforms and help minimize the efforts needed to conduct malicious activities online, including phishing, spamming, ransomware, and fraud, effectively lowering the barriers to entry for attackers.

Multiple threat actors, counting Octo Tempest (aka Scattered Spider), are said to have used Storm-1152’s accounts to pull off ransomware, data theft, and extortion schemes. Two other financially motivated threat actors that have purchased fraudulent accounts from Storm-1152 to scale their own attacks are Storm-0252 and Storm-0455.

The group, active since at least 2021, has been attributed to the following websites and pages –

• Hotmailbox.me for selling fraudulent Microsoft Outlook accounts
• 1stCAPTCHA, AnyCAPTCHA, and NoneCAPTCHA for selling machine learning-based CAPTCHA solving services to bypass identity verification
• Social media pages for advertising the services

Microsoft, which collaborated with Arkose Labs on the initiative, said it was able to identify three individuals based in Vietnam who were instrumental in developing and maintaining the infrastructure: Duong Dinh Tu, Linh Van Nguyễn (also known as Nguyễn Van Linh), and Tai Van Nguyen.

“These individuals operated and wrote the code for the illicit websites, published detailed step-by-step instructions on how to use their products via video tutorials and provided chat services to assist those using their fraudulent services,” Hogan-Burney noted.

“Not only did the company sell its technology like any other kind of software company – with pricing structures based upon a customer’s needs – but it also would perform fake account registration attacks, sell those fake accounts to other cybercriminals, and then cash out with crypto currency,” Kevin Gosschalk and Patrice Boffa said.