Microsoft seized some websites run by a Vietnam-based group that created about 750 million fraudulent Microsoft accounts after the software maker received an order from the Southern District of New York court a week ago.
Post on his blog on December 13Microsoft said it identified the threat group as Storm-1152 and said in its complaint that the group runs a criminal enterprise that uses lies and deception to breach Microsoft’s CAPTCHA and other security measures, obtain fraudulent Microsoft Outlook email accounts, and then sell the fraudulent accounts to a list of cybercriminals. Microsoft said these fraudulent online accounts serve as a gateway to a host of cybercrime, including mass phishing, identity theft and fraud, and distributed denial of service (DDoS) attacks.
To date, these activities have earned Storm-$1,152 million in illicit revenue, making it even more expensive for Microsoft and other companies to combat their criminal activities.
“At Microsoft, we continue to look for creative ways to protect people online, including having no tolerance for those who create fraudulent copies of our products to harm others,” said Amy Hogan. Burney, Managing Director and Associate General Counsel, Cybersecurity Policy. and protection for Microsoft.
Hogan-Burney wrote that Microsoft removed Hotmailbox.me, a marketplace for fraudulent Microsoft Outlook accounts; 1stCaptcha, AnyCaptcha and NoneCaptcha, which sold identity verification bypass tools; as well as social media sites used to market the fraudulent services. Microsoft said it seized those sites, pending its request to the Southern District of New York for a jury trial.
Private Sector Entities Go after Bad Actors
Callie Guenther, senior director of cyber threat research at Critical Start, said Microsoft’s recent move marks an important step in businesses’ application of cybersecurity. Guenther said this approach, while not entirely new, highlights a proactive stance by private technology companies in combating cybercrime and disrupts the operations of cybercriminal groups, at least temporarily.
“This creates operational and financial setbacks for criminals, forcing them to rebuild or relocate their infrastructure,” Guenther said. “Aggressive actions like this act as a deterrent, signaling to other cybercriminals that technology companies are actively combating such activities. These operations often provide valuable intelligence, including tactics, techniques and procedures used by criminals, which can be used to strengthen defenses. »
Guenther added that from a threat intelligence perspective, actions like Microsoft’s are crucial to understanding and countering sophisticated cybercrime operations. It helps security teams perform the following tasks: map the cybercrime ecosystem as a service; identify new cybercrime trends – such as the use of fraudulent accounts for ransomware and data theft – and improve threat intelligence databases with updated Indicators of Compromise (IoC) and TTP .
Microsoft has been involved in similar actions before. In December 2021, Microsoft took action against Chinese hackers use digital certificates to hide malicious activity.
However, Guenther said such public and aggressive interventions by tech companies are relatively rare, mainly due to the complexity of legal and geopolitical considerations. Apple also worked with the FBI in 2016 to take down torrent sites.
“These actions, although infrequent, demonstrate the growing role of private sector entities in cybersecurity enforcement,” Guenther said.
Austin Berglas, global head of professional services at BlueVoyant, added that these takedowns can only advance the defenders’ cause if they are supported by other actions. Berglas said the interruption of operations could only be temporary if the main organization and personnel remain intact.
“The removal of accounts and websites during withdrawals whose owners and operators are still free can be considered a ‘mole’ and shortly after these malicious sites are seized, new infrastructure is deployed and operations are carried out. continue,” Berglas said. “Dismantling an organization is almost impossible when the actors are located in countries like China and Russia, and it is even more complex when this activity is state-sponsored. Seizures of this type must be supported by the federal government when a link is established with a specific host country – the only deterrent for this type of crime is through political and economic considerations.
Ngoc Bui, a cybersecurity expert at Menlo Security, said the case highlights the often overlooked technical capabilities and cybercrime activities coming from countries like Vietnam. Bui said this is a reminder that cybercrime is a global problem, with significant activity coming from regions not typically associated with large-scale cybercriminal operations.
“This highlights the need for a global perspective and cooperation in cybersecurity efforts,” Bui said. “The continued emergence of sophisticated cybercriminal groups in various regions around the world requires vigilant and collaborative international approaches to effectively combat these evolving threats. »