The Digital Crimes Unit of Microsoft disrupted a major supplier of cybercrime-as-a-service (CaaS) last week, dubbed Storm-1152. The attackers had registered over 750 million fake Microsoft accounts, which they planned to sell online to other cybercriminals, making millions of dollars in the process.
"Storm-1152 runs illicit websites and social media pages, selling fraudulent Microsoft accounts and tools to bypass identity verification software across well-known technology platforms," Amy Hogan-Burney, general manager for Microsoft's DCU, stated . "These services reduce the time and effort needed for criminals to conduct a host of criminal and abusive behaviors online.”
Cybercriminals can employ fraudulent accounts linked to fictitious profiles as a virtually anonymous starting point for automated illegal operations including ransomware, phishing, spamming, and other fraud and abuse. Furthermore, Storm-1152 is the industry leader in the development of fictitious accounts, offering account services to numerous prominent cyber threat actors.
Microsoft lists Scattered Spider (also known as Octo Tempest) as one of these cybercriminals. They are the ones responsible for the ransomware attacks on Caesars Entertainment and the MGM Grand this fall).
Additionally, Hogan-Burney reported that the DCU had located the group's primary ringleaders, Tai Van Nguyen, Linh Van Nguyễn (also known as Nguyễn Van Linh), and Duong Dinh Tu, all of whom were stationed in Vietnam.
"Our findings show these individuals operated and wrote the code for the illicit websites, published detailed step-by-step instructions on how to use their products via video tutorials, and provided chat services to assist those using their fraudulent services," Burney noted.
Sophisticated crimeware-as-a-service ring
Storm-1152's ability to circumvent security measures such as CAPTCHAs and construct millions of Microsoft accounts linked to nonexistent people highlights the group's expertise, according to researchers.
The racket was likely carried out by "leveraging automation, scripts, DevOps practices, and AI to bypass security measures like CAPTCHAs." The CaaS phenomenon is a "complex facet of the cybercrime ecosystem... making advanced cybercrime tools accessible to a wider spectrum of malicious actors," stated Craig Jones, vice president of security operations at Ontinue.
According to Critical Start's Callie Guenther, senior manager of cyber threat research, "the use of automatic CAPTCHA-solving services indicates a fairly high level of sophistication, allowing the group to bypass one of the primary defences against automated account creation.”
Platforms can take a number of precautions to prevent unwittingly aiding cybercrime, the researchers noted. One such safeguard is the implementation of sophisticated detection algorithms that can recognise and flag suspicious conduct at scale, ideally with the help of AI.
Furthermore, putting robust multifactor authentication (MFA) in place for the creation of accounts—especially those with elevated privileges—can greatly lower the success rate of creating fake accounts. However, Ontinue's Jones emphasises that more work needs to be done on a number of fronts.