Cybercriminals selling fraudulent Outlook accounts taken down by Microsoft


Microsoft has seized domains and social media accounts belonging to Storm-1152. a large cybercrime actor. The group used the infrastructure to create 750 million fraudulent Microsoft accounts and earn millions of dollars in illicit revenue.

To go after the “number one seller and creator of fraudulent Microsoft accounts,” the company obtained a court order on December 7th to seize US-based infrastructure. Then Microsoft took down the following websites:

  • Hotmailbox.me, a marketplace for fraudulent Microsoft Outlook accounts
  • 1stCAPTCHA, AnyCAPTCHA, and NoneCAPTCHA. These sites sold identity verification bypass tools
  • The social media sites actively used to market these services
ADVERTISEMENT
Websites seized by Microsoft

Online accounts sold by Storm-1152 act as a gateway to host cybercrime, such as phishing, identity theft, fraud, and distributed denial of service attacks.

By running illicit websites and selling fraudulent accounts and tools, Storm-1152 enabled cybercriminals to conduct a host of illegal and abusive behaviors online, causing damage to Microsoft and its clients. Fraudulent accounts were used by ransomware, data theft, and extortion cyber gangs.

One of Storm-1152’s clients was the financially motivated cybercrime group Octo Tempest, also known as Scattered Spider, which leverages social engineering campaigns to compromise organizations worldwide.

Websites seized by Microsoft

To take down the crime infrastructure, Microsoft used threat intelligence insights from cybersecurity defense and bot management vendor Arkose Labs.

“Storm-1152 is a formidable foe established with the sole purpose of making money by empowering adversaries to commit complex attacks,” Kevin Gosschalk, founder and CEO of Arkose Labs, said.

“Storm-1152 operated as a typical internet going-concern, providing training for its tools and even offering full customer support. In reality, Storm-1152 was an unlocked gateway to serious fraud.”

ADVERTISEMENT

During the investigation, Microsoft confirmed the identity of the actors leading Storm-1152’s operations. Microsoft submitted a criminal referral to US law enforcement regarding individuals in Vietnam: Duong Dinh Tu, Linh Van Nguyễn (also known as Nguyễn Van Linh), and Tai Van Nguyen.

“These individuals operated and wrote the code for the illicit websites, published detailed step-by-step instructions on how to use their products via video tutorials, and provided chat services to assist those using their fraudulent services,” Microsoft’s post reads.

Microsoft says it's not stopping with this action, as its strategy aims at the broader cybercrime ecosystem. The company partnered with organizations across the industry for intelligence sharing using AI to detect and flag fraudulent accounts.

“As we’ve said before, no disruption is complete in one day. Going after cybercrime requires persistence and ongoing vigilance to disrupt new malicious infrastructure. While today’s legal action will impact Storm-1152’s operations, we expect other threat actors will adapt their techniques as a result,” the tech giant believes.