Microsoft has announced a major victory in its ongoing battle against cybercrime. The tech giant successfully took down the infrastructure of a notorious cybercrime operation known as “Storm-1152” that was responsible for selling fraudulent Outlook accounts to other hackers, including the infamous Scattered Spider gang. According to Microsoft, this group was a major player in the cybercrime as a service (CaaS) ecosystem, offering hacking and cybercrime services to other criminals.
This “Storm-1152” group, also known as “Scattered Spider”, had created around 750 million fake Microsoft accounts through their service called “hotmailbox.me”. This resulted in them earning millions of dollars in illegal profits and causing millions of dollars in damage to Microsoft. In fact, Microsoft described this operation as the “number one seller and creator of fraudulent Microsoft accounts”.
To carry out their illegal activities, Storm-1152 used internet bots to deceive Microsoft’s security systems and create fake Outlook accounts in the names of fictional users. These fraudulent accounts were then sold to other cybercriminals. This was all a part of their scheme to bypass security measures and make it easier for hackers to abuse Microsoft’s online environments and disrupt the services of other companies in different industries.
In addition to selling fake accounts, the group also provided CAPTCHA-solving services to criminals under various names such as “1stCAPTCHA”, “AnyCAPTCHA”, and “NoneCAPTCHA”. These services claimed to be able to bypass any type of CAPTCHA, making it easier for fraudsters to carry out their illegal activities. Microsoft also discovered that Storm-1152’s services were being used by multiple ransomware and extortion groups, including the notorious Scattered Spider gang, which has been linked to numerous high-profile attacks targeting major companies, including Okta and MGM Resorts.
However, Microsoft did not back down in the face of this cybercrime operation. In a court order obtained on December 7, the tech giant launched an investigation and identified the individuals behind Storm-1152’s operations. These individuals, named Duong Dinh Tu, Linh Van Nguyễn (also known as Nguyễn Van Linh), and Tai Van Nguyen, were located in Vietnam.
With the help of San Francisco-based cybersecurity company Arkose Labs, Microsoft was able to successfully seize Storm-1152’s U.S.-based infrastructure and domains. This included shutting down hotmailbox.me and disrupting their CAPTCHA-solving services. The company also targeted the social media accounts used by Storm-1152 to promote their services.
According to April Hogan-Burney, general manager of Microsoft’s Digital Crimes Unit, the goal of this action was to “deter criminal behavior” and make it more difficult and costly for cybercriminals to carry out their attacks. Microsoft also continues to investigate and protect its customers and online users from these illegal activities.
Kevin Gosschalk, founder and CEO of Arkose Labs, stated that Storm-1152 was “a formidable foe” that built its business out in the open, providing training and customer support for its illegal tools. However, in reality, this group was nothing more than “an unlocked gateway to serious fraud”.
“With today’s action, our goal is to deter criminal behavior. By seeking to slow the speed at which cybercriminals launch their attacks, we aim to raise their cost of doing business while continuing our investigation and protecting our customers and other online users.”
– April Hogan-Burney
Microsoft’s successful takedown of Storm-1152 serves as a reminder that they will not tolerate criminal activity on their platforms. With the help of companies like Arkose Labs, they will continue to fight against cybercrime and protect their customers.
