Ransomware, Governance, Risk and Compliance

Microsoft takes down websites used to create 750 million fraudulent accounts

A Microsoft logo is displayed on a smartphone on top of a laptop keyboard.

Microsoft seized certain websites run by a Vietnam-based group that created roughly 750 million fraudulent Microsoft accounts after the software maker received a court order a week ago from the Southern District of New York.

Posting to its blog Dec. 13, Microsoft said it identified the threat group as Storm-1152 and said in its complaint that the group runs a criminal enterprise that uses lies and deception to breach Microsoft’s CAPTCHA and other security measures, procure fraudulent Microsoft Outlook email accounts, and then sell the fraudulent accounts to a roster of cybercriminals. Microsoft said such fraudulent online accounts act as the gateway to a host of cybercrime, including mass phishing, identity theft and fraud, and distributed-denial-of-service attacks (DDoS). 

To date, these activities have earned Storm-1152 millions of dollars in illicit revenue, costing Microsoft and other companies even more to combat their criminal activity.

“At Microsoft, we continue to look for creative ways to protect people online and that includes having no tolerance for those who create fraudulent copies of our products to harm others," said Amy Hogan-Burney, general manager, associate general counsel, cybersecurity policy and protection for Microsoft.

Hogan-Burney wrote that Microsoft took down Hotmailbox.me, a marketplace for fraudulent Microsoft Outlook accounts; 1stCaptcha, AnyCaptcha, and NoneCaptcha, which sold identity verification bypass tools; as well as the social media sites used to market the fraudulent services. Microsoft said it has seized these sites, pending its request to the Southern District of New York for a jury trial.

Private-sector entities going after bad actors

Callie Guenther, senior manager, cyber threat research at Critical Start, said Microsoft’s recent move marks a significant step in corporate-led cybersecurity enforcement. Guenther said this approach, while not entirely novel, underscores a proactive stance by private tech companies in combating cybercrime and disrupts the operations of cybercrime groups, at least temporarily.

“This creates operational and financial setbacks for the criminals, forcing them to rebuild or relocate their infrastructure,” said Guenther. “Aggressive actions like this serve as a deterrent, signaling to other cybercriminals that tech companies are actively combating such activities. These operations often yield valuable intelligence, including tactics, techniques, and procedures used by the criminals, which can be used to bolster defenses.”

Guenther added that from a threat intelligence standpoint, actions like Microsoft's are crucial for understanding and countering sophisticated cybercrime operations. It helps security teams do the following: map the ecosystem of cybercrime-as-a-service; identify new trends in cybercrime — such as the use of fraudulent accounts for ransomware and data theft — and enhance the threat intelligence databases with updated indicators of compromise (IoCs) and TTPs.

Microsoft has been involved in similar actions before. In December 2021, Microsoft took action against Chinese hackers using digital certificates to mask malicious activities.

However, Guenther said such aggressive and public interventions by tech companies are relatively rare, primarily because of the complexities involved in legal and geopolitical considerations. Apple also collaborated with the FBI in 2016 to take down torrent sites.

“These actions, although not frequent, represent the increasing role of private-sector entities in cybersecurity law enforcement,” said Guenther.

Austin Berglas, global head of professional services at BlueVoyant, added that these takedowns can only advance the cause of the defenders if supported by other actions. Berglas said disruption of operations may only be temporary if the core organization and personnel are left untouched.

“The removal of accounts and websites in takedowns where the owners and operators are still free can be seen as ‘whack-a-mole’ and shortly after the seizure of these malicious sites, new infrastructure is deployed and operations continue,” said Berglas. “Dismantling an organization is almost impossible when actors are located in countries such as China and Russia, even more complex when this activity is state-sponsored. Seizures of this type need to be supported by the federal government when a connection is made to a specific host country — the only deterrent for this type of crime is through policy and economic sanction considerations.”

Ngoc Bui, cybersecurity expert at Menlo Security,said this case sheds light on the often-overlooked technical capabilities and cybercrime activities originating from countries like Vietnam. Bui said it’s a reminder that cybercrime is a global issue, with significant activities stemming from regions that might not be typically associated with high-profile cybercriminal operations.

“This underscores the need for a global perspective and cooperation in cybersecurity efforts,” said Bui. “The continuous emergence of sophisticated cybercrime groups from various parts of the world necessitates vigilant and collaborative international approaches to tackle these evolving threats effectively.”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.