Millions of Microsoft Accounts Power Lattice of Automated Cyberattacks

Microsoft's Digital Crimes Unit last week disrupted a prolific cybercrime-as-a-service (CaaS) purveyor that it calls Storm-1152, which registered more than 750 million fraudulent Microsoft accounts to sell online to other cybercriminals — raking in millions of dollars in the process.

"Storm-1152 runs illicit websites and social media pages, selling fraudulent Microsoft accounts and tools to bypass identity verification software across well-known technology platforms," Amy Hogan-Burney, general manager for Microsoft's DCU, explained in a posting on the group. "These services reduce the time and effort needed for criminals to conduct a host of criminal and abusive behaviors online."

Fraudulent accounts tied to fake profiles offer cybercriminals an essentially anonymous launchpad for automated criminal activities like phishing, spamming, ransomware, and other types of fraud and abuse. And Storm-1152 is the top of the fake account creation heap, providing many of the most well-known cyber threat actors out there with account services. According to Microsoft, these include Scattered Spider (aka Octo Tempest), which is the cybercrime group behind this fall's MGM Grand and Caesars Entertainment ransomware hits.

Hogan-Burney also wrote that the DCU identified the main ringleaders of the group, all based in Vietnam: Duong Dinh Tu, Linh Van Nguyễn (also known as Nguyễn Van Linh), and Tai Van Nguyen.

"Our findings show these individuals operated and wrote the code for the illicit websites, published detailed step-by-step instructions on how to use their products via video tutorials, and provided chat services to assist those using their fraudulent services," she wrote.

Microsoft has since submitted a criminal referral to US law enforcement on all three perps. And as part of the disruption, Microsoft obtained a greenlight court order from the Southern District of New York to seize and take offline Storm-1152's US-based infrastructure, including:

A Sophisticated Crimeware-as-a-Service Ring

The fact that Storm-1152 was able to bypass security checks like CAPTCHAs and generate millions of Microsoft accounts tied to nonexistent people highlights the group's sophistication, researchers say.

The racket was likely carried out by "leveraging automation, scripts, DevOps practices and AI to bypass security measures like CAPTCHAs," says Craig Jones, vice president of security operations at Ontinue, who calls the CaaS phenomenon a "complex facet of the cybercrime ecosystem … making advanced cybercrime tools accessible to a wider range of malicious actors." 

Callie Guenther, senior manager for cyber threat research at Critical Start, notes that "the use of automatic CAPTCHA-solving services indicates a fairly high level of sophistication, allowing the group to bypass one of the primary defenses against automated account creation."

She adds, "To accomplish this, they might have exploited vulnerabilities in Microsoft's account creation system, such as using patterns or loopholes that were not immediately detected by Microsoft's security systems."

Shutting Down Account Abuse

To avoid becoming an unwitting accomplice to cybercrime, platforms can take a number of steps, including deploying advanced detection algorithms that can identify and flag suspicious activities at scale, preferably with the use of AI, the researchers noted.

And implementing strong multifactor authentication (MFA) for account creation, especially those with escalated privileges, can significantly reduce the success rate of fraudulent account generation. But more work needs to be done on several fronts, according to Ontinue's Jones.

"The Storm-1152 case exemplifies the need for constant vigilance, adaptive security measures, collaborative intelligence sharing, and potentially more stringent regulatory frameworks to effectively combat the evolving landscape of cyber threats,” he explains.