Microsoft seized parts of the infrastructure of a prolific Vietnam-based threat group that the IT giant said was responsible for creating as many as 750 million fraudulent Microsoft accounts that were then sold to other bad actors and used to launch a range of cyberattacks – from ransomware to phishing to identity theft – against Microsoft and other platforms.

The cybercrime-as-a-service (CaaS) operation run by the group Storm-1152 used a Hotmail account to sell the fraudulent Microsoft accounts, social media accounts to market the business, and three websites to house the tools and infrastructure and sell the CAPTCHA solve service that allowed hackers to bypass the anti-bot security feature and set up and use the accounts.

The threat group, which ran the operation like a retail business, pulled in millions of dollars over the past couple of years, according to Amy Hogan-Burney, general manager and associate general counsel for Microsoft’s Cybersecurity Policy and Protection unit. She added that Storm-1152 plays a key role in the CaaS landscape.

“Cybercriminals need fraudulent accounts to support their largely automated criminal activities,” Hogan-Burney wrote in a blog post. “With companies able to quickly identify and shut down fraudulent accounts, criminals require a greater quantity of accounts to circumvent mitigation efforts. Instead of spending time trying to create thousands of fraudulent accounts, cybercriminals can simply purchase them from Storm-1152 and other groups.”

CaaS a Growing Problem

As with any as-a-service business, CaaS lowers the bar to entry, enabling less-skilled bad actors to carry out effective attacks and focus their efforts on running ransomware, phishing, spamming, and other criminal campaigns. CaaS operations are a growing threat, relatively unknown a few years ago and now accounting for about 80% of the attack traffic seen by Arkose Labs’ security operation center.

“Storm-1152’s services are easily procured on the web, and frequently are used as the first step in illegal and illicit online activities, many of which lead to money laundering,” wrote Arkose Labs founder and CEO Kevin Gosschalk and Patrice Boffa, the company’s chief customer officer.

Arkose has been tracking Storm-1152 since 2021 and worked closely with Microsoft to disrupt the group’s operations.

Hogan-Burney wrote that multiple groups involved with ransomware, data theft, and extortion used fraudulent accounts from Storm-1152, including Octo Tempest – also known as Scattered Spider – a financially motivated threat actor that uses social engineering tactics to compromise organizations. Other groups include Storm-0252 (aka BazaCall), which runs phishing campaigns and was back in the news this week for using Google Forms to give its scheme an air of legitimacy.

Another using Storm-1152’s services is Storm-0455, the Russia-linked espionage group also known as Stronium and APT29 and the cybercriminals behind the high-profile SolarWinds attack in 2020.

A Business-Like Approach

Storm-1152 initially built its business on AnyCaptcha.com, a CAPTCHA solver service that came with a versatile business model, according to Arkose’s Gosschalk and Boffa.

“Not only did the company sell its technology like any other kind of software company – with pricing structures based upon a customer’s needs – but it also would perform fake account registration attacks, sell those fake accounts to other cybercriminals, and then cash out with crypto currency,” they wrote.

The Arkose Cyber Threat Intelligence Research (ACTIR) unit first detected the CaaS operation in 2021, a systematic effort that was one of the early solver approaches that used machine learning techniques, they wrote. The group later started using the aliases 1stCaptcha and NoneCaptcha and operated hotmailbox.me, which made it among the largest and most sophisticated of such attackers ACTIR had seen, due in large part to its persistence and rapid pace of innovation.

“They were able to iterate quickly and constantly over the past two years, with an evolving strategy that pivoted from solving challenges through rote methods to evading detection by disguising their telltales in attempts not to be identified as malicious traffic,” Gosschalk and Boffa wrote. “Hotmailbox.me was an additional pivot made to address the inability to provide their customers with a consistent solve service.”

Such “adaptability is what makes all CaaS businesses pernicious,” they wrote.

Legal Action

Hogan-Burney wrote that Microsoft obtained a court order December 7 from the Southern District of New York to seize any of Storm-1152’s infrastructure based in the United States and take its website offline, adding that the technology was used to not only create and sell fraudulent Microsoft accounts but also to slip pass security measures on other technology platforms.

In all, the company took down all three CAPTCHA solver websites, the Hotmail account, and the social accounts used to sell the group’s services.

It also confirmed the identities of three people leading the Storm-1152 operations – Duong Dinh Tu, Linh Van Nguyễn (also known as Nguyễn Van Linh), and Tai Van Nguyen – who are based in Vietnam. The three operated the services, wrote the code for the websites, published detailed instructions for using their products via video tutorials, and provided chat services to help those using the services.

Microsoft has since submitted a criminal referral to U.S. law enforcement,” Hogan-Burney wrote.