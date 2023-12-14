Marking a major step in the fight against cybercrime, Microsoft has initiated action against Storm-1152, a group that offers a \u201ccybercrime-as-a-service\u201d network.\n\nThe company has aggressively pursued legal measures to dismantle Storm-1152\u2019s network, seizing its US-based infrastructure, shutting down key websites, and rigorously investigating to identify the individuals responsible for the group\u2019s activities.\n\n\u201cStorm-1152 runs illicit websites and social media pages, selling fraudulent Microsoft accounts and tools to bypass identity verification software across well-known technology platforms,\u201d Amy Hogan-Burney, GM and associate general counsel for cybersecurity policy and protection at Microsoft, said in a blog post. \u201cThese services reduce the time and effort needed for criminals to conduct a host of criminal and abusive behaviors online.\u201d\n\nStorm-1152 has generated about 750 million fake Microsoft accounts for sale, distinguishing itself as a particularly severe threat. Unlike other groups, they provide cybercriminals with easy access to fake accounts. This convenience enables criminals to concentrate on activities such as phishing, spamming, ransomware, and various other frauds and abuses.\n\nEfforts to slow down cybercrime\n\nMicrosoft\u2019s actions follow a recent court order from the Southern District of New York, authorizing the company to seize US-based infrastructure and websites used by Storm-1152. The measures included seizing Hotmailbox.me and disrupting services like 1stCAPTCHA, AnyCAPTCHA, and NoneCAPTCHA, as well as targeting the social media platforms used for promoting these services.\u201cWith today\u2019s action, our goal is to deter criminal behavior,\u201d Hogan-Burney said. \u201cBy seeking to slow the speed at which cybercriminals launch their attacks, we aim to raise their cost of doing business while continuing our investigation and protecting our customers and other online users.\u201d\n\nMicrosoft Threat Intelligence has found several groups using Storm-1152's fake accounts for ransomware and other cybercrimes. Notably, the group Octo Tempest utilized these accounts for international financial extortion. Microsoft is also monitoring other groups like Storm-0252 and Storm-0455, who have similarly employed Storm-1152's services for more effective cyberattacks.\n\nIdentifying the people behind attacks\n\nMicrosoft has identified the people behind Storm-1152\u2019s operations \u2013 Duong Dinh Tu, Linh Van Nguy\u1ec5n (also known as Nguy\u1ec5n Van Linh), and Tai Van Nguyen \u2013 based in Vietnam. In the blog post, Microsoft posted a screenshot of Duong\u2019s YouTube channel with \u201chow-to videos\u201d to bypass security measures.\n\n\u201cOur findings show these individuals operated and wrote the code for the illicit websites, published detailed step-by-step instructions on how to use their products via video tutorials, and provided chat services to assist those using their fraudulent services,\u201d Hogan-Burney said.\n\nMicrosoft worked with Arkose Labs to investigate and take action against the group. In the blog post, Kevin Gosschalk, founder and CEO of Arkose Labs, said that Storm-1152 raised significant concern due to their method that allowed profiting by enabling complex attacks. He noted the group is unique in operating its 'Cybercrime-as-a-Service' openly, rather than on the dark web, offering training and customer support for its tools.