Microsoft Targets Threat Group Behind Fake Accounts

Microsoft seized parts of the infrastructure of a prolific Vietnam-based threat group that the IT giant said was responsible for creating as many as 750 million fraudulent Microsoft accounts that were then sold to other bad actors and used to launch a range of cyberattacks - from ransomware to phishing to identity theft - against Microsoft and other platforms.
The cybercrime-as-a-service operation run by the group Storm-1152 used a Hotmail account to sell the fraudulent Microsoft accounts, social media accounts to market the business, and three websites to house the tools and infrastructure and sell the CAPTCHA solve service that allowed hackers to bypass the anti-bot security feature and set up and use the accounts.
The threat group, which ran the operation like a retail business, pulled in millions of dollars over the past couple of years, according to Amy Hogan-Burney, general manager and associate general counsel for Microsoft's Cybersecurity Policy and Protection unit.
She added that Storm-1152 plays a key role in the CaaS landscape.
As with any as-a-service business, CaaS lowers the bar to entry, enabling less-skilled bad actors to carry out effective attacks and focus their efforts on running ransomware, phishing, spamming, and other criminal campaigns.
CaaS operations are a growing threat, relatively unknown a few years ago and now accounting for about 80% of the attack traffic seen by Arkose Labs' security operation center.
Arkose has been tracking Storm-1152 since 2021 and worked closely with Microsoft to disrupt the group's operations.
Hogan-Burney wrote that multiple groups involved with ransomware, data theft, and extortion used fraudulent accounts from Storm-1152, including Octo Tempest - also known as Scattered Spider - a financially motivated threat actor that uses social engineering tactics to compromise organizations.
Other groups include Storm-0252, which runs phishing campaigns and was back in the news this week for using Google Forms to give its scheme an air of legitimacy.
Another using Storm-1152's services is Storm-0455, the Russia-linked espionage group also known as Stronium and APT29 and the cybercriminals behind the high-profile SolarWinds attack in 2020.
Storm-1152 initially built its business on AnyCaptcha.com, a CAPTCHA solver service that came with a versatile business model, according to Arkose's Gosschalk and Boffa.
The Arkose Cyber Threat Intelligence Research unit first detected the CaaS operation in 2021, a systematic effort that was one of the early solver approaches that used machine learning techniques, they wrote.
The group later started using the aliases 1stCaptcha and NoneCaptcha and operated hotmailbox.
Me, which made it among the largest and most sophisticated of such attackers ACTIR had seen, due in large part to its persistence and rapid pace of innovation.
Hogan-Burney wrote that Microsoft obtained a court order December 7 from the Southern District of New York to seize any of Storm-1152's infrastructure based in the United States and take its website offline, adding that the technology was used to not only create and sell fraudulent Microsoft accounts but also to slip pass security measures on other technology platforms.
In all, the company took down all three CAPTCHA solver websites, the Hotmail account, and the social accounts used to sell the group's services.
It also confirmed the identities of three people leading the Storm-1152 operations - Duong Dinh Tu, Linh Van Nguyễn, and Tai Van Nguyen - who are based in Vietnam.
The three operated the services, wrote the code for the websites, published detailed instructions for using their products via video tutorials, and provided chat services to help those using the services.


This Cyber News was published on securityboulevard.com. Publication date: Thu, 14 Dec 2023 16:13:04 +0000


Cyber News related to Microsoft Targets Threat Group Behind Fake Accounts

Microsoft Incident Response lessons on preventing cloud identity compromise - Microsoft Incident Response is often engaged in cases where organizations have lost control of their Microsoft Entra ID tenant, due to a combination of misconfiguration, administrative oversight, exclusions to security policies, or insufficient ...
11 months ago Microsoft.com
CISA Warns of Compromised Microsoft Accounts - CISA issued a fresh CISA emergency directive in early April instructing U.S. federal agencies to mitigate risks stemming from the breach of numerous Microsoft corporate email accounts by the Russian APT29 hacking group. The directive is known as ...
7 months ago Securityboulevard.com
Microsoft Targets Threat Group Behind Fake Accounts - Microsoft seized parts of the infrastructure of a prolific Vietnam-based threat group that the IT giant said was responsible for creating as many as 750 million fraudulent Microsoft accounts that were then sold to other bad actors and used to launch ...
11 months ago Securityboulevard.com
Staying ahead of threat actors in the age of AI - At the same time, it is also important for us to understand how AI can be potentially misused in the hands of threat actors. In collaboration with OpenAI, today we are publishing research on emerging threats in the age of AI, focusing on identified ...
9 months ago Microsoft.com
Moonstone Sleet emerges as new North Korean threat actor with new bag of tricks - Microsoft has identified a new North Korean threat actor, now tracked as Moonstone Sleet, that uses both a combination of many tried-and-true techniques used by other North Korean threat actors and unique attack methodologies to target companies for ...
5 months ago Microsoft.com
Threat actors misuse OAuth applications to automate financially driven attacks - Threat actors are misusing OAuth applications as an automation tool in financially motivated attacks. Threat actors compromise user accounts to create, modify, and grant high privileges to OAuth applications that they can misuse to hide malicious ...
11 months ago Microsoft.com
Fake and Stolen X Gold Accounts Flood Dark Web - A surge of fake or stolen X Gold accounts has been flooding marketplaces and forums both on the surface web and the dark web over the past year, according to CloudSEK. Threat actors have used multiple techniques to forge or steal X Gold accounts ...
10 months ago Infosecurity-magazine.com
Fancy Bear hackers still exploiting Microsoft Exchange flaw - A Russian nation-state group continues to exploit a critical Microsoft vulnerability that was patched eight months ago to gain access to emails within victim organizations' Exchange servers. In March, Microsoft disclosed a zero-day elevation of ...
11 months ago Techtarget.com
Microsoft Shuts Down a Criminal Ring Responsible for Creating Over 750 Million Fake Accounts - Microsoft Corp. has shut down a cybercrime group's US-based infrastructure, which created more than 750 million fake accounts across the company's services. Microsoft carried out the takedown with the support of Arkose Labs Inc., a venture-backed ...
11 months ago Cysecurity.news
Microsoft reveals how hackers breached its Exchange Online accounts - Microsoft confirmed that the Russian Foreign Intelligence Service hacking group, which hacked into its executives' email accounts in November 2023, also breached other organizations as part of this malicious campaign. On January 12, 2024, Microsoft ...
9 months ago Bleepingcomputer.com
Meta Disrupts 8 Spyware Firms, 3 Fake News Networks - Meta has identified and interrupted six spyware networks linked to eight companies in Italy, Spain, and the United Arab Emirates, as well as three fake news operations from China, Myanmar, and Ukraine. It outlines how fake news operations - ...
9 months ago Darkreading.com
TeamCity Intrusion Saga: APT29 Suspected Among the Attackers Exploiting CVE-2023-42793 - As part of this analysis, we look at threat actor TTPs employed throughout the intrusion and how they were identified and pieced together by the FortiGuard IR team. The following section of this report focuses on the activities of one of these threat ...
11 months ago Feeds.fortinet.com
Fake browser updates spread updated WarmCookie malware - The latest campaign was discovered by researchers at Gen Threat Labs, who observed the WarmCookie backdoor being distributed as fake Google Chrome, Mozilla Firefox, Microsoft Edge, and Java updates. FakeUpdate is a cyberattack strategy used by a ...
1 month ago Bleepingcomputer.com
Microsoft Disables Verified Partner Accounts Used for OAuth Phishing - Microsoft has disabled multiple fraudulent, verified Microsoft Partner Network accounts for creating malicious OAuth applications that breached organizations cloud environments to steal email. In a joint announcement between Microsoft and Proofpoint, ...
1 year ago Bleepingcomputer.com
Microsoft disrupts credentials marketplace, warns of gift card fraud, OAuth abuse - After a relatively quiet final Patch Tuesday of 2023, Microsoft published warnings this week about the potential for gift card fraud and hackers abusing a popular authentication technology. Alongside the warnings, Microsoft said it recently used a ...
11 months ago Therecord.media
Key Group uses leaked builders of ransomware and wipers | Securelist - The first discovered sample of Key Group, the Xorist ransomware, established persistence in the system by changing file extension associations. The .huis_bn extension added to encrypted files in the early versions of Key Group samples, Xorist and ...
1 month ago Securelist.com
Financially motivated threat actors misusing App Installer - Since mid-November 2023, Microsoft Threat Intelligence has observed threat actors, including financially motivated actors like Storm-0569, Storm-1113, Sangria Tempest, and Storm-1674, utilizing the ms-appinstaller URI scheme to distribute malware. In ...
10 months ago Microsoft.com
Fraudsters make $50,000 a day by spoofing crypto researchers - Multiple fake accounts impersonating cryptocurrency scam investigators and blockchain security companies are promoting phishing pages to drain wallets in an ongoing campaign on X. To lure potential victims, the scammer uses a breach on major ...
11 months ago Bleepingcomputer.com
How Kasada Counters Toll Fraud and Fake Account Creation for Enterprises - Toll fraud and fake account creation are two advanced threats that bad actors employ for massive profit. Fake Account Creation is committed by a wide range of attackers, through automating the generation of new user accounts en masse, which then get ...
11 months ago Securityboulevard.com
Microsoft takes down websites used to create 750 million fraudulent accounts - Microsoft seized certain websites run by a Vietnam-based group that created roughly 750 million fraudulent Microsoft accounts after the software maker received a court order a week ago from the Southern District of New York. Posting to its blog Dec. ...
11 months ago Packetstormsecurity.com
What Is Threat Modeling? - Threat modeling emerges as a pivotal process in this landscape, offering a structured approach to identify, assess, and address potential security threats. Threat Modeling Adoption and Implementation The successful adoption of threat modeling within ...
10 months ago Feeds.dzone.com
What Is Cyber Threat Hunting? - Cyber threat hunting involves proactively searching for threats on an organization's network that are unknown to traditional cybersecurity solutions. A recent report from Armis found that cyber attack attempts increased by 104% in 2023, underscoring ...
9 months ago Techrepublic.com
Top 7 Cyber Threat Hunting Tools for 2024 - Cyber threat hunting is a proactive security measure taken to detect and neutralize potential threats on a network before they cause significant damage. To seek out this type of threat, security professionals use cyber threat-hunting tools. With ...
9 months ago Techrepublic.com
Imperva Detects Undocumented 8220 Gang Activities - Imperva Threat Research has detected previously undocumented activity from the 8220 gang, which is known for the mass deployment of malware using a variety of continuously evolving TTPs. This threat actor has been known to target both Windows and ...
11 months ago Imperva.com
The Fake Browser Update Scam Gets a Makeover - One of the oldest malware tricks in the book - hacked websites claiming visitors need to update their Web browser before they can view any content - has roared back to life in the past few months. New research shows the attackers behind one such ...
11 months ago Krebsonsecurity.com

Latest Cyber News


Cyber Trends (last 7 days)


Trending Cyber News (last 7 days)