Pierluigi Paganini December 14, 2023

Microsoft’s Digital Crimes Unit seized multiple domains used by cybercrime group Storm-1152 to sell fraudulent Outlook accounts.

Microsoft’s Digital Crimes Unit seized multiple domains used by a cybercrime group, tracked as Storm-1152, to sell fraudulent accounts.

Storm-1152 operates illicit websites and social media pages, selling fake Microsoft accounts and tools to bypass identity verification software on popular technology platforms.

“These services reduce the time and effort needed for criminals to conduct a host of criminal and abusive behaviors online.” reads the announcement published by Microsoft. “To date, Storm-1152 created for sale approximately 750 million fraudulent Microsoft accounts, earning the group millions of dollars in illicit revenue, and costing Microsoft and other companies even more to combat their criminal activity.”

On Thursday, December 7, the IT giant obtained a court order from the Southern District of New York to seize the infrastructure in the US used by the threat actors and take offline the websites.

The company pointed out that its initiative aimed at preventing fraudulent activities involving Microsoft accounts, however, the websites were also selling fraudulent accounts from other well-known technology platforms.

Microsoft’s Digital Crimes Unit disrupted the following domains:

• Hotmailbox.me, a website selling fraudulent Microsoft Outlook accounts
• 1stCAPTCHA, AnyCAPTCHA, and NoneCAPTCHA, websites that facilitate the tooling, infrastructure, and selling of the CAPTCHA solve service to bypass the confirmation of use and account setup by a real person. These sites sold identity verification bypass tools for other technology platforms
• The social media sites actively used to market these services

The services provided by Storm-1152 allowed threat actors to carry out their malicious activities more efficiently. Microsoft identified multiple groups using Storm-1152 accounts for malicious activities, including ransomware attacks, data theft, and extortion.

Some of the groups that obtained fraudulent Microsoft accounts from Storm-1152 are Octo Tempest (aka Scattered Spider), Storm-0252, and Storm-0455.

Microsoft also identified Duong Dinh Tu, Linh Van Nguyen (a/k/a Nguyen Van Linh), and Tai Van Nguyen as key figures of the group Storm-1152.

The individuals developed and operated the websites, they also published video tutorials on how to use their products and provided chat services to their customers.

“Microsoft has since submitted a criminal referral to U.S. law enforcement. We are grateful for our partnership with law enforcement who can bring those looking to harm our customers to justice.” concludes the announcement.

“As we’ve said before, no disruption is complete in one day. Going after cybercrime requires persistence and ongoing vigilance to disrupt new malicious infrastructure. While today’s legal action will impact Storm-1152’s operations, we expect other threat actors will adapt their techniques as a result.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Storm-1152)