Microsoft
has seized the websites of a Vietnam-based group that it claims sold millions of
fake accounts
to
cybercriminals
who used them for ransomware attacks, identity theft and other scams around the world. The group, identified by Microsoft as Storm-1152, developed sophisticated tools that are said to set up fraudulent Outlook and Hotmail email accounts in bulk.
Earlier this week, Microsoft obtained a court order from the Southern District of New York to seize US-based infrastructure and take offline websites used by
Storm-1152
to harm Microsoft customers.
Storm-1152 was first detected in 2021. Cybersecurity firm Arkose Labs that worked with Microsoft to identify the group tracked it to Vietnam. The leaders of the group are three Vietnam-based individuals, Duong Dinh Tu, Linh Van Nguyen and Tai Van Nguyen, Microsoft said in a statement. The three names are listed in Microsoft's complaint against them in a US federal court.
What makes Storm-1152 dangerous
According to Microsoft, Storm-1152 runs illegal websites and social media pages, selling fraudulent Microsoft accounts and tools to bypass identity verification software across well-known technology platforms. These services reduce the time and effort needed for criminals to conduct a host of criminal and abusive behaviors online. To date, Storm-1152 is reported to have created for sale approximately 750 million fraudulent Microsoft accounts.
How Storm-1152 works
Storm-1152 developed automated software -- or "bots" -- to create fake accounts. These bots are said to be aimed at defeating Microsoft's safeguards, such as the CAPTCHA puzzles users have to solve to prove they are human, the tech giant said in its court filing. Microsoft's court filing included a screenshot of a Storm-1152 website that boasts the use of artificial intelligence against CAPTCHA. Google and X, formerly known as Twitter, have also been hit by Storm-1152 activities, Microsoft said in the filing.
How hackers use Storm-1152
Cybercriminals need fraud accounts to support their largely automated criminal activities. With companies able to quickly identify and shut down fraud accounts, criminals require a greater quantity of accounts to destroy these mitigation efforts. Instead of spending time trying to create thousands of fraud accounts, cybercriminals can simply purchase them from Storm-1152 and other groups. "Instead of spending time trying to create thousands of fraudulent accounts, cybercriminals can simply purchase them from Storm-1152 and other groups," Microsoft's Amy Hogan-Burney said in a blog post. This allows criminals to focus their efforts on their ultimate goals of phishing, spamming, ransomware, and other types of fraud and abuse.
The sites owned by Storm-1152 now say: "This Domain has been seized by Microsoft."