Disrupting the gateway services to cybercrime
Storm-1152 plays a significant role in the highly specialized cybercrime-as-a-service ecosystem. Cybercriminals need fraudulent accounts to support their largely automated criminal activities. With companies able to quickly identify and shut down fraudulent accounts, criminals require a greater quantity of accounts to circumvent mitigation efforts. Instead of spending time trying to create thousands of fraudulent accounts, cybercriminals can simply purchase them from Storm-1152 and other groups. This allows criminals to focus their efforts on their ultimate goals of phishing, spamming, ransomware, and other types of fraud and abuse. Storm-1152 and groups like them enable scores of cybercriminals to carry out their malicious activities more efficiently and effectively.
Microsoft Threat Intelligence has identified multiple groups engaged in ransomware, data theft and extortion that have used Storm-1152 accounts. For example, Octo Tempest, also known as Scattered Spider, obtained fraudulent Microsoft accounts from Storm-1152. Octo Tempest is a financially motivated cybercrime group that leverages broad social engineering campaigns to compromise organizations across the globe with the goal of financial extortion. Microsoft continues to track multiple other ransomware or extortion threat actors that have purchased fraudulent accounts from Storm-1152 to enhance their attacks, including Storm-0252 and Storm-0455.
On Thursday, December 7, Microsoft obtained a court order from the Southern District of New York to seize U.S.-based infrastructure and take offline websites used by Storm-1152 to harm Microsoft customers. While our case focuses on fraudulent Microsoft accounts, the websites impacted also sold services to bypass security measures on other well-known technology platforms. Today’s action therefore has a broader impact, benefiting users beyond Microsoft. Specifically, Microsoft’s Digital Crimes Unit disrupted:
- Hotmailbox.me, a website selling fraudulent Microsoft Outlook accounts.
- 1stCAPTCHA, AnyCAPTCHA, and NoneCAPTCHA, websites that facilitate the tooling, infrastructure, and selling of the CAPTCHA solve service to bypass the confirmation of use and account setup by a real person. These sites sold identity verification bypass tools for other technology platforms.
- The social media sites actively used to market these services.
Microsoft is committed to providing a safe digital experience for every person and organization on the planet. We work closely with Arkose Labs to deploy a next-generation CAPTCHA defense solution. The solution requires every would-be user who wishes to open a Microsoft account to represent that they are a human being (not a bot) and verify the accuracy of that representation by solving various types of challenges.
As founder and CEO of Arkose Labs, Kevin Gosschalk says: “Storm-1152 is a formidable foe established with the sole purpose of making money by empowering adversaries to commit complex attacks. The group is distinguished by the fact that it built its CaaS business in the light of day versus on the dark web. Storm-1152 operated as a typical internet going-concern, providing training for its tools and even offering full customer support. In reality, Storm-1152 was an unlocked gateway to serious fraud.”
Storm-1152’s activity not only violates Microsoft’s terms of services by selling fraudulent accounts, but it also purposely seeks to harm customers of Arkose Labs and deceive victims pretending to be legitimate users in an attempt to bypass security measures.
Our analysis of Storm-1152’s activity included detection, analysis, telemetry, undercover test purchases, and reverse engineering to pinpoint the malicious infrastructure hosted in the United States. Microsoft Threat Intelligence and Arkose Cyber Threat Intelligence Research unit (ACTIR) provided additional data and insights to strengthen our legal case.
As part of our investigation, we were able to confirm the identity of the actors leading Storm-1152’s operations – Duong Dinh Tu, Linh Van Nguyễn (also known as Nguyễn Van Linh) and Tai Van Nguyen – based in Vietnam. Our findings show these individuals operated and wrote the code for the illicit websites, published detailed step-by-step instructions on how to use their products via video tutorials and provided chat services to assist those using their fraudulent services.
Microsoft has since submitted a criminal referral to U.S. law enforcement. We are grateful for our partnership with law enforcement who can bring those looking to harm our customers to justice.
Today’s action is a continuation of Microsoft’s strategy of taking aim at the broader cybercriminal ecosystem and targeting the tools cybercriminals use to launch their attacks. It builds on our expansion of a legal method used successfully to disrupt malware and nation-state operations. We have also partnered with other organizations across the industry to increase intelligence sharing on fraud and further enhance our artificial intelligence and machine learning algorithms that quickly detect and flag fraudulent accounts.
As we’ve said before, no disruption is complete in one day. Going after cybercrime requires persistence and ongoing vigilance to disrupt new malicious infrastructure. While today’s legal action will impact Storm-1152’s operations, we expect other threat actors will adapt their techniques as a result. Continued public and private sector collaboration, like todays with Arkose Labs and U.S. law enforcement, remain essential if we want to meaningfully dent the impact of cybercrime.
Follow Microsoft Security