Microsoft Corp. has shut down a cybercrime group's US-based infrastructure, which created more than 750 million fake accounts across the company's services.
Microsoft carried out the takedown with the support of Arkose Labs Inc., a venture-backed cybersecurity firm. The latter sells a cloud platform that allows businesses in blocking fraud and hacking efforts aimed at their services. Storm-1152 is the threat actor that Microsoft has identified.
Several hacking organisations' tactic is to create fake accounts in services like Microsoft Outlook and then use them for phishing or spam campaigns. Furthermore, fraudulent accounts can be employed to launch distributed denial-of-service (DDoS) attacks. Hackers typically do not create such accounts themselves, but rather purchase them from cybercrime-as-a-service outfits such as Storm-1152, the threat actor that Microsoft has disrupted.
Storm-1152 is believed to be the "number one seller" of fake Microsoft accounts, the company stated. It is estimated that the gang created 750 million such accounts and also created fraudulent users on other companies' services. Furthermore, Storm-1152 sold software for circumventing CAPTCHAs, which are used by many online sites to ensure that a login request comes from a human and not an automated system.
Microsoft believes that several cybercrime groups' hacking efforts were fueled by the fake accounts that Storm-1152 created. Scattered Spider, the threat actor behind the widely reported attacks against Caesars Entertainment Inc. and MGM Resorts International earlier this year, is believed to be one of those groups. According to Microsoft's investigation, Storm-1152 earned millions of dollars in illegal money while incurring far larger expenses for the companies who made an effort to thwart it.
“While our case focuses on fraudulent Microsoft accounts, the websites impacted also sold services to bypass security measures on other well-known technology platforms,” Amy Hogan-Burney, Microsoft’s general manager and associate general counsel for cybersecurity policy and protection, explained. “Today’s action therefore has a broader impact, benefiting users beyond Microsoft.”
Microsoft disrupted the four websites by obtaining a seizure order from a federal court in the Southern District of New York. As part of its efforts to thwart Storm-1152's operations, Microsoft has also discovered that the group is led by three Vietnamese citizens : Duong Dinh Tu, Linh Van Nguyn, and Tai Van Nguyen. The company stated that it has reported its findings to law enforcement.