Microsoft just disrupted a cyber crime group behind 750 million fraudulent accounts

Microsoft has taken action against a group it says was behind the creation of hundreds of millions of fraudulent accounts for sale.

The tech giant obtained a court order from the Southern District of New York to seize the US-based infrastructure and take down websites used by a cyber criminal group known as Storm-1152.

Storm-1152 runs illicit websites and social media pages, selling fraudulent Microsoft accounts and tools to bypass the Captcha software used by many companies to prove it really is a human signing up for an online account.

These fraudulent online accounts are often a route to cyber crimes such as phishing, identity theft, and fraud, as well as distributed denial of service (DDoS) attacks, the tech giant said.

Microsoft calculates that Storm-1152 created approximately 750 million fraudulent Microsoft accounts for sale, earning the group “millions of dollars in illicit revenue” and playing a major role in the highly specialized cyber crime-as-a-service ecosystem.

Threat actors and fraudsters frequently use fake accounts to support their criminal plans. 

However, because companies are getting better at spotting and shutting down these bogus accounts, criminals need more and more to stay in business. Rather than creating the accounts themselves they can buy them from groups like Storm-1152.

Microsoft said it has seen ransomware, data theft, and extortion groups using Storm-1152 services. For example, Octo Tempest, also known as Scattered Spider, obtained fraudulent Microsoft accounts from Storm-1152.

Octo Tempest is a financially motivated cyber crime group that uses social engineering campaigns to compromise organizations with the goal of financial extortion.

Microsoft said other groups including Storm-0252 – which uses a fake call center to trick people into downloading ransomware had also purchased fraudulent accounts as well.

As part of the takedown, Microsoft said it disrupted Hotmailbox.me, a website selling fraudulent Microsoft Outlook accounts, as well as 1stCAPTCHA, AnyCAPTCHA, and NoneCAPTCHA. 

These websites facilitated the tooling, infrastructure, and selling of the Captcha-solving service to bypass the confirmation of use and account setup by a real person.

Tracking down Storm-1152 involved analysis, telemetry, undercover test purchases, and reverse engineering to pinpoint the malicious infrastructure hosted in the US, Microsoft said.

The firm added that as part of the investigation, it was able to discover the identity of some of the alleged leaders of the group, and Microsoft said it has since submitted a criminal referral to US law enforcement.

“We are grateful for our partnership with law enforcement who can bring those looking to harm our customers to justice,” it said.

This is unlikely to be the end of the attacks for good, however.

Microsoft not out the woods yet

Amy Hogan-Burney, Microsoft’s general manager and associate general counsel, cybersecurity policy and protection, warned that groups such as these are highly persistent and will continue to present a threat to organizations globally.

“As we’ve said before, no disruption is complete in one day. Going after cyber crime requires persistence and ongoing vigilance to disrupt new malicious infrastructure. While today’s legal action will impact Storm-1152’s operations, we expect other threat actors will adapt their techniques as a result.”

Microsoft worked with cyber security defense and bot management company Arkose Labs, which said that CaaS businesses have dramatically lowered the barriers to entry for would-be attackers.

While relatively unknown just a couple of years ago, CaaS groups are now responsible for roughly 80% of the attack traffic seen by the Arkose Labs security operations center team, and is in part responsible for the 167% increase in bot attacks this year, according to the company’s analysis.

Arkose Labs said that although this case focuses on fraudulent Microsoft accounts, the CaaS websites also sold services to bypass security measures on other well-known technology platforms.

“One of our aims in sharing this information is to alert security ops professionals to potential sessions that should be examined and to warn those on the product side of the risk that a significant number of your customer accounts might be fake," Arkose Labs said. "Today’s action has a much broader impact, benefiting enterprises beyond Microsoft."