Microsoft announced on Wednesday the 13th that it has stopped operating Storm-1152, a cybercrime-as-a-service (CaaS) ecosystem that created 750 million fraudulent company accounts to spread phishing, identity theft and other criminal schemes.
CaaS is believed to have made millions of dollars in revenue by creating fraudulent accounts for other cybercrime groups to use in phishing, spam, ransomware, distributed denial of service (DDoS) attacks, and other types of attacks.
“Storm-1152 runs illicit websites and social media pages, selling fraudulent Microsoft accounts and tools to bypass identity verification software on popular technology platforms. These services reduce the time and effort required for criminals to carry out a range of criminal and abusive behaviors online,” notes Microsoft.
One of Storm-1152’s clients is Octo Tempest, also known as Scattered Spider, 0ktapus and UNC3944, which used fraudulent accounts in social engineering attacks aimed at financial extortion. Storm-0252, Storm-0455, and other ransomware or extortion groups have also purchased CaaS accounts.
With the help of bot management and account security company Arkose Labs, which has been tracking Storm-1152 since August 2021, Microsoft gathered information about the CaaS and its activities and infrastructure, and used it to obtain a court order and seize the infrastructure of the cybercrime network in the USA.
Issued last Thursday, the 7th, the court order allowed Microsoft to take over domains such as Hotmailbox.eu, 1stCAPTCHA, AnyCAPTCHA and NoneCAPTCHA, as well as social media accounts that CaaS has used to promote illicit services. Additionally, the software maker revealed the identities of three individuals believed to be operating Storm-1152 — Duong Dinh Tu, Linh Van Nguyễn (also known as Nguyễn Van Linh), and Tai Van Nguyen, all based in Vietnam.
“Our findings show that these individuals operated and wrote the code for the illicit websites, published detailed step-by-step instructions on how to use their products through video tutorials, and provided chat services to help those using their fraudulent services.” , explains Microsoft.
Storm-1152’s activities caught the attention of Arkose Labs, which began investigating the group and reported the findings to Microsoft. Together, the two companies began collecting tactics, techniques, and procedures (TTPs) associated with the threat actor to identify its infrastructure.
According to Arkose Labs, Storm-1152 has been observed changing its business model to bypass protective measures deployed against it, including switching between cAPTCHA solver services.
“Microsoft has filed suit against the individuals on behalf of its millions of customers who may have been targeted and harmed by the attacks. Arkose Labs is supporting Microsoft with our detailed evidence of the attacks,” notes Arkose Labs. The two companies also reported their findings to law enforcement authorities.
Sources: CisoAdvisor, Arkose Labs
