Microsoft is always looking for innovative ways to keep people safe online, and part of that effort includes not tolerating people who make fake versions of our products to harm other people. Distributed denial of service (DDoS) attacks, mass phishing, identity theft, and fraud are just a few of the cybercrimes that can be accessed through fraudulent online accounts.
We are targeting Storm-1152, the top seller and creator of bogus Microsoft accounts, with the help of Arkose Labs, a reputable cybersecurity defense and bot management vendor, and their insightful threat intelligence. We are adamantly warning anyone attempting to produce, market, or disseminate counterfeit Microsoft products to commit cybercrime that we are aware of their actions and will take appropriate action.
Storm-1152 is the operator of illegitimate websites and social media pages that offer tools to get around identity verification software on popular tech platforms as well as phony Microsoft accounts. These services cut down on the time and energy that criminals require to engage in a variety of abusive and illegal activities online.
Up until now, Storm-1152 has generated about 750 million fictitious Microsoft accounts for sale, bringing in millions of dollars for the gang in illegal profits while further burdening Microsoft and other businesses with the costs of stopping their illicit activities.
Our intention with today’s action is to discourage illegal activity. We hope to increase the cost of doing business for cybercriminals by slowing down the pace of their attacks, all the while pursuing our investigation and safeguarding our clients and other internet users.
Interrupting the cybercrime gateway services
On Wednesday, Microsoft announced that it had secured a court order to confiscate equipment owned by a group known as Storm-1152, which made millions of dollars in illegal profits by selling other criminal actors a network of phony websites and social media pages that contained approximately 750 million phony Microsoft accounts and tools.
Amy Hogan-Burney, the organization’s associate general counsel for cybersecurity policy and protection, stated that “fraudulent online accounts act as the gateway to a host of cybercrime, including mass phishing, identity theft, and fraud, and distributed denial-of-service (DDoS) attacks,”
As per Redmond, these cybercrime-as-a-service (CaaS) solutions are engineered to circumvent identity verification software on multiple technological platforms and aid in reducing the exertion required to carry out malevolent activities on the internet, such as ransomware, phishing, and fraud, thereby decreasing the obstacles to entry for potential attackers.
Storm-1152’s accounts are allegedly being used by several threat actors, including Octo Tempest (also known as Scattered Spider), to carry out ransomware, data theft, and extortion schemes. Storm-0252 and Storm-0455 are two more financially motivated threat actors that have bought fictitious accounts from Storm-1152 to expand their attacks.
The following websites and pages have been linked to the group, which has been active since at least 2021:
Hotmailbox is used to sell Microsoft Outlook accounts. 1stCAPTCHA, AnyCAPTCHA, and NoneCAPTCHA are used to sell identity verification-bypassing machine learning-based CAPTCHA-solving services.
Social media profiles to promote the services
In partnership with Arkose Labs, Microsoft announced that it had identified three Vietnamese nationals, Duong Dinh Tu, Linh Van Nguyễn (also called Nguyễn Van Linh), and Tai Van Nguyen, as key players in the creation and upkeep of the infrastructure.
“These individuals operated and wrote the code for the illicit websites, published detailed step-by-step instructions on how to use their products via video tutorials, and provided chat services to assist those using their fraudulent services,” Hogan-Burney said.
“Not only did the company sell its technology like any other kind of software company – with pricing structures based upon a customer’s needs – but it also would perform fake account registration attacks, sell those fake accounts to other cybercriminals, and then cash out with cryptocurrency,” Patrice Boffa and Kevin Gosschalk reported.