Microsoft’s Digital Crimes Unit seized multiple domains used by a cybercrime group, tracked as Storm-1152, to sell fraudulent accounts.
Storm-1152 operates illicit websites and social media pages, selling fake Microsoft accounts and tools to bypass identity verification software on popular technology platforms.
“These services reduce the time and effort needed for criminals to conduct a host of criminal and abusive behaviors online.” reads the announcement published by Microsoft. “To date, Storm-1152 created for sale approximately 750 million fraudulent Microsoft accounts, earning the group millions of dollars in illicit revenue, and costing Microsoft and other companies even more to combat their criminal activity.”
On Thursday, December 7, the IT giant obtained a court order from the Southern District of New York to seize the infrastructure in the US used by the threat actors and take offline the websites.
The company pointed out that its initiative aimed at preventing fraudulent activities involving Microsoft accounts, however, the websites were also selling fraudulent accounts from other well-known technology platforms.
Microsoft’s Digital Crimes Unit disrupted the following domains:
The services provided by Storm-1152 allowed threat actors to carry out their malicious activities more efficiently. Microsoft identified multiple groups using Storm-1152 accounts for malicious activities, including ransomware attacks, data theft, and extortion.
Some of the groups that obtained fraudulent Microsoft accounts from Storm-1152 are Octo Tempest (aka Scattered Spider), Storm-0252, and Storm-0455.
Microsoft also identified Duong Dinh Tu, Linh Van Nguyen (a/k/a Nguyen Van Linh), and Tai Van Nguyen as key figures of the group Storm-1152.
The individuals developed and operated the websites, they also published video tutorials on how to use their products and provided chat services to their customers.
“Microsoft has since submitted a criminal referral to U.S. law enforcement. We are grateful for our partnership with law enforcement who can bring those looking to harm our customers to justice.” concludes the announcement.
“As we’ve said before, no disruption is complete in one day. Going after cybercrime requires persistence and ongoing vigilance to disrupt new malicious infrastructure. While today’s legal action will impact Storm-1152’s operations, we expect other threat actors will adapt their techniques as a result.”
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Storm-1152)