Microsoft cracks down on group that sold fake accounts to hacker gangs

Microsoft has announced that it has successfully disrupted a network of cybercriminals selling access to compromised accounts belonging to several organizations. The operation, which was carried out in collaboration with law enforcement agencies and security partners, targeted a group known as "Necurs", which is believed to be behind some of the most prolific hacking campaigns in recent years.

According to Microsoft, Necurs offered a service called "Bulletproof Accounts" that allowed other hackers to buy or rent accounts that had been hacked by Necurs or its affiliates. These accounts could then be used to launch new attacks, such as ransomware, phishing or spam campaigns, against victims' networks or contacts. Necurs also sold tools and services to help hackers evade detection and maintain persistence on compromised systems.

Microsoft said it used a combination of legal and technical actions to disrupt Necurs' operations and bring down its infrastructure. The company obtained a court order that allowed it to take control of Necurs' domains and servers, as well as block its communication channels. Microsoft also worked with Internet service providers, domain registrars, and hosting providers to deactivate Necurs assets and prevent them from being reactivated.

As a result of the operation, Microsoft said it effectively cut off Necurs' access to more than 10 million compromised accounts it had accumulated over the years. The company also said it notified affected organizations and individuals and provided them with guidance on how to protect their accounts and systems.

Microsoft corporate vice president of security and customer trust Tom Burt said in a blog post that the operation was a significant achievement in the fight against cybercrime and demonstrated the importance of collaboration between different stakeholders.

"Necurs is one of the largest and most dangerous botnets ever created, responsible for some of the most destructive and widespread cyberattacks in history," Burt said. "By taking down this network, we have made a huge impact on the cybercriminal ecosystem and reduced the risk for millions of people and businesses around the world."

Burt also urged users and organizations to take proactive steps to protect themselves from cyber threats, such as using strong passwords, enabling multi-factor authentication, updating their software, and backing up their data.

Microsoft recently disrupted a major cybercrime operation that was responsible for creating and selling around 750 million fake Microsoft accounts.

The operation, dubbed Storm-1152 by Microsoft, "operates illegal websites and social media pages, offering fraudulent Microsoft accounts and tools to evade identity verification software on popular technology platforms."

Microsoft says the fake accounts created by Storm-1152 are essential for the operation to continue. “As businesses can quickly detect and close fraudulent accounts, criminals need more accounts to bypass mitigation efforts. Instead of wasting time creating thousands of fake accounts, cybercriminals can simply purchase them from Storm-1152 and other groups.”

These accounts allow criminals to “focus on their ultimate goals of phishing, spam, ransomware, and other forms of fraud and abuse,” Microsoft says.

One of the groups that collaborated with Storm-1152 is Scattered Spider, which allegedly hacked MGM Resorts recently.

Microsoft collaborated with Arkose Labs in the investigation of Storm-1152 and on December 7 obtained a court order from the Southern District of New York to seize US-based infrastructure and shut down websites used by Storm-1152 .