Microsoft Cracks Down on Cybercrime Group Selling Millions of Fraudulent Accounts

Microsoft's Digital Crimes Unit seized multiple domains used by Storm-1152, a Vietnam-based cybercrime group that registered over 750 million fraudulent accounts.

Storm-1152 raked in millions of dollars by selling the fraudulent accounts online to other cybercriminals, according to Microsoft. It is a major cybercrime-as-a-service provider and the No. 1 seller of fraudulent Outlook accounts.

Microsoft obtained a court order from the Southern District of New York to seize U.S.-based infrastructure and take offline websites used by Storm-1152 to harm Microsoft customers.

Microsoft's Amy Hogan-Burney

“Storm-1152 runs illicit websites and social media pages, selling fraudulent Microsoft accounts and tools to bypass identity verification software across well-known technology platforms,” Amy Hogan-Burney, Microsoft’s general manager and associate general counsel for cybersecurity policy and protection, said in a blog. “These services reduce the time and effort needed for criminals to conduct a host of criminal and abusive behaviors online.”

Cybercriminals Need Fraudulent Accounts

Storm-1152 plays a significant role in the highly specialized cybercrime-as-a-service ecosystem, Hogan-Burney said. Cybercriminals need fraudulent accounts to support their largely automated criminal activities.

“With companies able to quickly identify and shut down fraudulent accounts, criminals require a greater quantity of accounts to circumvent mitigation efforts,” she said. “Instead of spending time trying to create thousands of fraudulent accounts, cybercriminals can simply purchase them from Storm-1152 and other groups. This allows criminals to focus their efforts on their ultimate goals of phishing, spamming, ransomware and other types of fraud and abuse. Storm-1152 and groups like them enable scores of cybercriminals to carry out their malicious activities more efficiently and effectively.”

Microsoft Threat Intelligence has identified multiple groups engaged in ransomware, data theft and extortion that have used Storm-1152 accounts. For example, Octo Tempest, also known as Scattered Spider, obtained fraudulent Microsoft accounts from Storm-1152. Octo Tempest is a financially motivated cybercrime group that leverages broad social engineering campaigns to compromise organizations globally with the goal of financial extortion. Microsoft continues to track multiple other ransomware or extortion threat actors that have purchased fraudulent accounts from Storm-1152 to enhance their attacks, including Storm-0252 and Storm-0455.

Microsoft's Actions Significant

Ontinue's Craig Jones

Craig Jones, vice president of security operations at Ontinue, said Microsoft's operation against Storm-1152 marks a significant stride in combating cybercrime. However, its long-term effectiveness is nuanced.

“The action disrupts current operations, but the long-term deterrent effect on other cybercriminals remains uncertain,” he said. “Cybercrime groups are often resilient and often quickly adapt or reemerge.”

While this sends a strong message to cybercriminals, the most determined may simply adapt their tactics in response, Jones said.

“The effectiveness is also tied to how well tech companies, law enforcement and intelligence agencies share information and coordinate efforts against cyber threats.” he said.

Microsoft's action against Storm-1152 is impactful, but assessing its long-term effectiveness requires continuous vigilance, Jones said.

“It reflects a broader industry trend where major tech companies actively engage in cybersecurity, with varying frequency and visibility of such actions,” he said. “The fight against cybercrime demands persistent and collaborative efforts across the digital ecosystem.”

Disrupting Cybercriminals, At Least Temporarily

Critical Start's Callie Guenther

Callie Guenther, senior manager of cyber threat research at Critical Start, said Microsoft’s action marks a “significant step in corporate-led cybersecurity enforcement.” This approach, while not entirely novel, underscores a proactive stance by private tech companies in combating cybercrime.

“Seizing domains and dismantling infrastructure disrupts the operations of cybercrime groups, at least temporarily,” she said. “This creates operational and financial setbacks for the criminals, forcing them to rebuild or relocate their infrastructure. Aggressive actions like this serve as a deterrent, signaling to other cybercriminals that tech companies are actively combating such activities. These operations often yield valuable intelligence, including tactics, techniques and procedures (TTPs) used by the criminals, which can be used to bolster defenses. It's important to note that such actions are more of a temporary impediment than a permanent solution. Cybercriminals often adapt quickly, finding new ways to conduct their activities.”