Microsoft Strikes Against Storm-1152 for Illegal Sale of Fake Outlook Credentials
Microsoft's Digital Crimes Unit has taken action against Storm-1152, a Vietnam-based cybercrime group, per WIRED. This group, known for being a significant cybercrime-as-a-service provider, registered over 750 million fraudulent accounts and generated millions of dollars by selling them to other cybercriminals.
Issy-les-Moulineaux, France. | Photo by Chesnot | Getty Images
All you need to know about Storm-1152
Storm-1152 specialized in fraudulent Outlook accounts and offered illegal services, including an automatic CAPTCHA-solving service to bypass Microsoft's CAPTCHA challenges, enabling the creation of more fraudulent Microsoft email accounts. The group operated illicit websites and social media pages, facilitating the sale of these fraudulent accounts and tools to bypass identity verification software on various technology platforms. Amy Hogan-Burney, General Manager of Microsoft's Digital Crimes Unit, emphasized the impact of such services in streamlining criminal activities online. The complaint states that since 2021 (at least), the group has orchestrated a scheme involving the acquisition of millions of Microsoft Outlook email accounts under fictitious user names. These fraudulent accounts are then sold to malicious actors for deployment in various forms of cybercrime.
Storm-1152 and global cybercrime syndicates
As per Microsoft Threat Intelligence, multiple cybergroups involved in ransomware, data theft, and extortion have purchased and utilized accounts supplied by Storm-1152 in their attacks. Notably, financially-driven cybercrime gangs like Storm-0252, Storm-0455, and Octo Tempest (aka Scattered Spider) employed fraudulent accounts from Storm-1152 to infiltrate organizations globally, deploying ransomware on their networks. These attacks led to significant service disruptions, resulting in damages estimated by Microsoft to be in the hundreds of millions of dollars. Microsoft's investigation indicates that the fraudulently obtained Microsoft email accounts were used by organized cybercrime groups, including Storm-0252, Storm-0455, and Octo Tempest, for various cybercriminal activities, including email phishing scams, often used as a means to spread ransomware and other malware.
Storm-1152's cybercriminal infrastructure
On December 7, 2023, Microsoft took decisive action against Storm-1152's U.S.-based infrastructure, following a court order from the Southern District of New York. The seized domains included:
- Hotmailbox.me, a website selling fraudulent Microsoft Outlook accounts
- 1stCAPTCHA, AnyCAPTCHA, and NoneCAPTCHA, websites facilitating the tooling, infrastructure, and sale of CAPTCHA-solving services to bypass confirmation processes and account setups
- Social media sites actively used for marketing these services
Lawsuit reveals culprits behind Storm-1152's illicit operation
Microsoft also filed a lawsuit against Duong Dinh Tu, Linh Van Nguyen (a/k/a Nguyen Van Linh), and Tai Van Nguyen, alleging their involvement in hosting the cybercriminal operation on the seized domains. The complaint asserts that the defendants were responsible for managing and developing the code for the seized websites. They also created video guides on using fraudulent Outlook accounts and provided chat support to customers utilizing their illicit services. Microsoft's recent action is part of its ongoing strategy to combat the broader cybercriminal ecosystem by targeting the tools utilized in cyberattacks. This approach builds upon the company's successful use of legal methods to disrupt malware and nation-state operations, as highlighted by Hogan-Burney.