A federal judge has ordered three internet service providers to block multiple websites developed by the group Storm-1152, which is alleged to be the top creator and seller of fraudulent Microsoft accounts.
The order requires the ISPs to take down four websites run by Storm-1152. One site is said to have sold fraudulent Microsoft Outlook accounts. The rest allegedly provided artificial-intelligence-based CAPTCHA-solving services that help fraudsters evade bot-detection challenges — the identity-verification tests that ask users to pick out objects in a photo or read distorted text before creating accounts.
In
Three defendants are named in the restraining order: Duong Dinh Tu, Linh Van Nguyễn (also known as Nguyễn Van Linh), and Tai Van Nguyen, all based out of Vietnam. Microsoft said the three lead Storm-1152's operations and that they operated and wrote the code for the illicit websites, published detailed step-by-step instructions on how to use their products via video tutorials and provided chat services to assist those using their fraudulent services.
The defendants did not immediately respond to emailed requests for comment on Wednesday.
Microsoft said it has asked law enforcement authorities to conduct a criminal investigation.
In his findings related to the leaders of Storm-1152, U.S. District Judge Paul Engelmayer said there was "good cause" to believe that the defendants had engaged in eight criminal practices, including racketeering and trademark infringement. That justified the order to take down four websites: 1stcaptcha.com, anycaptcha.com, nonecaptcha.com, and hotmailbox.me, according to Engelmayer.
The court ordered VeriSign and Identity Digital, the managers and operators of the .com and .me registries, to reregister the fraudulent domains to be under Microsoft's control. The court also ordered Cloudflare, the service provider for the fraudulent websites, to preserve evidence related to the case, disable computers serving the fraudulent websites, and prevent the defendants from registering additional domains.
Arkose Labs said in
"One of our aims in sharing this information is to alert security ops professionals to potential sessions that should be examined and to warn those on the product side of the risk that a significant number of your customer accounts might be fake," reads the blog post from Arkose Labs CEO Kevin Gosschalk and Chief Customer Officer Patrice Boffa. "Today's action has a much broader impact, benefiting enterprises beyond Microsoft."
The primary outcome of disrupting Storm-1152 is a slowing of the fraudulent activity that actors across the cybercrime ecosystem can perpetrate, according to Amy Hogan-Burney, general manager and associate general counsel of cybersecurity policy and protection at Microsoft.
"With today's action, our goal is to deter criminal behavior," Hogan-Burney said in the Microsoft blog post. "By seeking to slow the speed at which cybercriminals launch their attacks, we aim to raise their cost of doing business while continuing our investigation and protecting our customers and other online users."
Microsoft has identified multiple groups engaged in ransomware, data theft and extortion that have used Storm-1152 accounts, including Scattered Spider (also known as Octo Tempest), the group behind the ransomware attack against
The disruption to Storm-1152's infrastructure this week was described as a major win for preventing automated account creation — Microsoft said the group is the "number one seller and creator of fraudulent Microsoft accounts."
But other groups are likely to recreate its services, and persistence will be required of corporate officials and others to keep bad actors under control, Hogan-Burney said in the Microsoft blog post.
"No disruption is a one and done," Hogan-Burney said. "While today's legal action will impact Storm-1152's operations, we expect other threat actors will adapt their techniques as a result. Going after cybercrime therefore requires persistence, collaboration and ongoing vigilance to disrupt new malicious infrastructure."
