Marking a major step in the fight against cybercrime, Microsoft has initiated action against Storm-1152, a group that offers a ‘cybercrime-as-a-service‘ network.
The company has aggressively pursued legal measures to dismantle Storm-1152’s network, seizing its US-based infrastructure, shutting down key websites, and rigorously investigating to identify the individuals responsible for the group’s activities.
“Storm-1152 runs illicit websites and social media pages, selling fraudulent Microsoft accounts and tools to bypass identity verification software across well-known technology platforms,” Amy Hogan-Burney, GM and associate general counsel for cybersecurity policy and protection at Microsoft, said in a blog post. “These services reduce the time and effort needed for criminals to conduct a host of criminal and abusive behaviors online.”
Storm-1152 has generated about 750 million fake Microsoft accounts for sale, distinguishing itself as a particularly severe threat. Unlike other groups, they provide cybercriminals with easy access to fake accounts. This convenience enables criminals to concentrate on activities such as phishing, spamming, ransomware, and various other frauds and abuses.
Efforts to slow down cybercrime
Microsoft’s actions follow a recent court order from the Southern District of New York, authorizing the company to seize US-based infrastructure and websites used by Storm-1152. The measures included seizing Hotmailbox.me and disrupting services like 1stCAPTCHA, AnyCAPTCHA, and NoneCAPTCHA, as well as targeting the social media platforms used for promoting these services.
“With today’s action, our goal is to deter criminal behavior,” Hogan-Burney said. “By seeking to slow the speed at which cybercriminals launch their attacks, we aim to raise their cost of doing business while continuing our investigation and protecting our customers and other online users.”
Microsoft Threat Intelligence has found several groups using Storm-1152’s fake accounts for ransomware and other cybercrimes. Notably, the group Octo Tempest utilized these accounts for international financial extortion. Microsoft is also monitoring other groups like Storm-0252 and Storm-0455, who have similarly employed Storm-1152’s services for more effective cyberattacks.