Millions of Microsoft Accounts Power Lattice of Automated Cyberattacks

Crimeware-as-a-service (CaaS) gang flies past CAPTCHAs, creating fraudulent accounts to sell to the likes of Scattered Spider; Microsoft mounts a counterattack.

Person looking at large wall of connected digital lights
Source: Daniil Peshkov via Alamy Stock Photo

Microsoft's Digital Crimes Unit last week disrupted a prolific cybercrime-as-a-service (CaaS) purveyor that it calls Storm-1152, which registered more than 750 million fraudulent Microsoft accounts to sell online to other cybercriminals — raking in millions of dollars in the process.

"Storm-1152 runs illicit websites and social media pages, selling fraudulent Microsoft accounts and tools to bypass identity verification software across well-known technology platforms," Amy Hogan-Burney, general manager for Microsoft's DCU, explained in a posting on the group. "These services reduce the time and effort needed for criminals to conduct a host of criminal and abusive behaviors online."

Fraudulent accounts tied to fake profiles offer cybercriminals an essentially anonymous launchpad for automated criminal activities like phishing, spamming, ransomware, and other types of fraud and abuse. And Storm-1152 is the top of the fake account creation heap, providing many of the most well-known cyber threat actors out there with account services. According to Microsoft, these include Scattered Spider (aka Octo Tempest), which is the cybercrime group behind this fall's MGM Grand and Caesars Entertainment ransomware hits.

Hogan-Burney also wrote that the DCU identified the main ringleaders of the group, all based in Vietnam: Duong Dinh Tu, Linh Van Nguyễn (also known as Nguyễn Van Linh), and Tai Van Nguyen.

"Our findings show these individuals operated and wrote the code for the illicit websites, published detailed step-by-step instructions on how to use their products via video tutorials, and provided chat services to assist those using their fraudulent services," she wrote.

Microsoft has since submitted a criminal referral to US law enforcement on all three perps. And as part of the disruption, Microsoft obtained a greenlight court order from the Southern District of New York to seize and take offline Storm-1152's US-based infrastructure, including:

  • Hotmailbox.me, a website selling fraudulent Microsoft Outlook accounts.

  • 1stCAPTCHA, AnyCAPTCHA, and NoneCAPTCHA, websites that sell identity-verification bypass tools for Microsoft and other technology platforms.

  • Social media sites used for marketing the services.

A Sophisticated Crimeware-as-a-Service Ring

The fact that Storm-1152 was able to bypass security checks like CAPTCHAs and generate millions of Microsoft accounts tied to nonexistent people highlights the group's sophistication, researchers say.

The racket was likely carried out by "leveraging automation, scripts, DevOps practices and AI to bypass security measures like CAPTCHAs," says Craig Jones, vice president of security operations at Ontinue, who calls the CaaS phenomenon a "complex facet of the cybercrime ecosystem … making advanced cybercrime tools accessible to a wider range of malicious actors." 

Callie Guenther, senior manager for cyber threat research at Critical Start, notes that "the use of automatic CAPTCHA-solving services indicates a fairly high level of sophistication, allowing the group to bypass one of the primary defenses against automated account creation."

She adds, "To accomplish this, they might have exploited vulnerabilities in Microsoft's account creation system, such as using patterns or loopholes that were not immediately detected by Microsoft's security systems."

Shutting Down Account Abuse

To avoid becoming an unwitting accomplice to cybercrime, platforms can take a number of steps, including deploying advanced detection algorithms that can identify and flag suspicious activities at scale, preferably with the use of AI, the researchers noted.

And implementing strong multifactor authentication (MFA) for account creation, especially those with escalated privileges, can significantly reduce the success rate of fraudulent account generation. But more work needs to be done on several fronts, according to Ontinue's Jones.

"The Storm-1152 case exemplifies the need for constant vigilance, adaptive security measures, collaborative intelligence sharing, and potentially more stringent regulatory frameworks to effectively combat the evolving landscape of cyber threats,” he explains.

 

About the Author

Tara Seals, Managing Editor, News, Dark Reading

Tara Seals has 20+ years of experience as a journalist, analyst and editor in the cybersecurity, communications and technology space. Prior to Dark Reading, Tara was Editor in Chief at Threatpost, and prior to that, the North American news lead for Infosecurity Magazine. She also spent 13 years working for Informa (formerly Virgo Publishing), as executive editor and editor-in-chief at publications focused on both the service provider and the enterprise arenas. A Texas native, she holds a B.A. from Columbia University, lives in Western Massachusetts with her family and is on a never-ending quest for good Mexican food in the Northeast.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights