Microsoft disrupts cybercrime operation by selling fraudulent accounts to notorious hacker gang

Microsoft has announced that it has taken legal action to disrupt a cybercrime operation that sold fraudulent accounts to a notorious hacking gang. The operation, dubbed “CyberX,” allegedly provided access to compromised Microsoft 365 and Azure accounts to the “Evil Corp” group, responsible for several high-profile ransomware attacks.

According to Microsoft, CyberX was using phishing and credential stuffing techniques to obtain login credentials from unsuspecting victims and then sell them on the dark web. CyberX also offered account takeover services, where they would hijack existing accounts and use them to launch further attacks.

Microsoft said it obtained a court order to take control of six domains that CyberX used to carry out its illegal activities. The company also said it notified affected customers and helped them protect their accounts. Microsoft said its actions disrupted CyberX's ability to operate and reduced the risk of future attacks by Evil Corp.

Microsoft's Digital Crimes Unit (DCU) led the investigation, which involved collaboration with law enforcement agencies and cybersecurity partners. Microsoft said it will continue to monitor and pursue CyberX and Evil Corp, as well as other cybercriminals who abuse its products and services.

Microsoft President Brad Smith said in a statement: “We are committed to protecting our customers and the broader Internet community from the threat of cybercrime. This operation is an example of how we use our legal and technical expertise to thwart malicious actors and protect our clients. . "We will not tolerate misuse of our platforms and services by cybercriminals, and we will use all available means to stop them."

Microsoft's efforts to dismantle the infrastructure of a cybercrime operation known as "Storm-1152." This group was involved in selling access to fraudulent Outlook accounts to other hackers, including the Scattered Spider gang. The operation was a major player in the cybercrime as a service (CaaS) ecosystem, offering hacking and cybercrime services to other individuals or groups.

According to Microsoft, Storm-1152 created approximately 750 million fraudulent Microsoft accounts through its “hotmailbox.me” service and earned millions of dollars in illicit revenue while causing substantial damage to Microsoft. The group used Internet 'bots' to trick Microsoft's security systems, creating Outlook email accounts in the names of fictitious users and selling these fraudulent accounts to cybercriminals.

In addition to fraudulent accounts, Storm-1152 operated fee resolution services for CAPTCHA, allowing cybercriminals to bypass these security measures in the online environments of Microsoft and other companies.

Microsoft identified several ransomware and extortion groups, including the Scattered Spider (Octo Tempest) gang, as users of Storm-1152's services. The Scattered Spider group was previously linked to attacks targeting Okta customers and claimed responsibility for the attack on MGM Resorts.

A court order obtained by Microsoft on December 7 revealed that Scattered Spider hackers had committed "massive ransomware attacks against flagship Microsoft customers," resulting in service disruptions and hundreds of millions of dollars in damage.

Storm-1152's services were reportedly used by other cybercriminal groups to attack not only Microsoft but also other technology companies such as X (formerly Twitter) and Google, causing damage to these companies and their customers.

It is important to note that combating cybercrime involves collaboration between technology companies, law enforcement and cybersecurity experts to identify and dismantle such operations.