Microsoft has successfully disrupted the infrastructure of a cybercrime operation that was involved in selling access to fraudulent Outlook accounts to other hackers, including the notorious Scattered Spider gang. The group, known as “Storm-1152”, was a major player in the cybercrime as a service (CaaS) ecosystem, offering hacking and cybercrime services to individuals or groups. According to Microsoft, Storm-1152 created approximately 750 million fraudulent Microsoft accounts through its “hotmailbox.me” service, earning millions of dollars in illicit revenue and causing significant damage to Microsoft.
Key Takeaway
Microsoft has successfully dismantled a cybercrime operation that was selling fraudulent Outlook accounts to other hackers, including the notorious Scattered Spider gang, causing significant damage to Microsoft.
Operation Details
Microsoft described Storm-1152’s operation as a scheme that involved using Internet ‘bots’ to deceive Microsoft’s security systems, creating Microsoft Outlook email accounts in the names of fictitious users, and then selling these fraudulent accounts to cybercriminals. The group also operated rate solver services for CAPTCHAs, enabling fraudsters to bypass security measures and abuse the online environments of Microsoft and other enterprises.
Impact on Ransomware and Extortion Groups
Microsoft identified several ransomware and extortion groups utilizing Storm-1152’s services, including the notorious Scattered Spider group. This hacking group was linked to a series of attacks targeting Okta customers and the MGM Resorts attack, which is estimated to cost the hotel and casino giant an estimated $100 million. The investigation also revealed that Scattered Spider hackers committed massive ransomware attacks against flagship Microsoft customers, resulting in significant service disruptions and financial damage.
Legal Action and Seizure of Infrastructure
Microsoft obtained a court order to seize Storm-1152’s U.S.-based infrastructure and domains, including hotmailbox.me, as well as disrupting services like 1stCAPTCHA, AnyCAPTCHA, and NoneCAPTCHA. The company also targeted the social media accounts used by Storm-1152 to promote these services. Microsoft also identified the individuals behind Storm-1152’s operations, who are based in Vietnam.
Goal of the Action
April Hogan-Burney, general manager of Microsoft’s Digital Crimes Unit, stated that the goal of the action was to deter criminal behavior by raising the cost of cybercriminals doing business while continuing the investigation and protecting customers and online users.
Microsoft was assisted in its takedown of Storm-1152 by San Francisco-based cybersecurity company Arkose Labs, which had been tracking the operation since August 2021.
Kevin Gosschalk, founder and CEO of Arkose Labs, described Storm-1152 as a formidable foe established with the sole purpose of making money by empowering adversaries to commit complex attacks. The group operated as a typical internet going-concern, providing training for its tools and offering full customer support, ultimately serving as an unlocked gateway to serious fraud.