Microsoft disrupts cybercrime operation by selling fraudulent accounts to notorious hacking ring
Microsoft has announced that it has taken legal action to disrupt a cybercrime operation that sold fraudulent accounts to a notorious hacking ring. The operation, dubbed «CyberX,» allegedly provided access to compromised Microsoft 365 and Azure accounts to the «Evil Corp» group responsible for several high-profile ransomware attacks.
According to Microsoft, CyberX was using phishing and credential stuffing techniques to obtain login credentials from unsuspecting victims and then sell them on the dark web. CyberX also offered account hijacking services, where they hijacked existing accounts and used them to launch further attacks.
Microsoft said it obtained a court order to take control of six domains used by CyberX to carry out its illegal activities. The company also said it notified affected customers and helped them protect their accounts. Microsoft said its actions disrupted CyberX’s ability to operate and reduced the risk of future attacks by Evil Corp.
Microsoft’s Digital Crimes Unit (DCU) led the investigation, which involved collaboration with law enforcement agencies and cybersecurity partners. Microsoft said it will continue to monitor and pursue CyberX and Evil Corp, as well as other cybercriminals who abuse its products and services.
Microsoft President Brad Smith said in a statement, «We are committed to protecting our customers and the Internet community at large from the threat of cybercrime. This operation is an example of how we use our legal and technical expertise to disrupt malicious actors and protect our customers. . We will not tolerate the misuse of our platforms and services by cybercriminals, and we will use all available means to stop them.»
Microsoft’s efforts to dismantle the infrastructure of a cybercrime operation known as «Storm-1152.» This group was involved in selling access to fraudulent Outlook accounts to other hackers, including the Scattered Spider gang. The operation was a major player in the cybercrime-as-a-service (CaaS) ecosystem, offering hacking and cybercrime services to other individuals or groups.
According to Microsoft, Storm-1152 created approximately 750 million fraudulent Microsoft accounts through its «hotmailbox.me» service and earned millions of dollars in illicit revenue while causing substantial damage to Microsoft. The group employed Internet ‘bots’ to fool Microsoft’s security systems, creating Outlook email accounts in the names of fictitious users and selling these fraudulent accounts to cybercriminals.
In addition to the fraudulent accounts, Storm-1152 operated CAPTCHA rate resolution services, allowing cybercriminals to bypass these security measures in the online environments of Microsoft and other companies.
Microsoft identified several ransomware and extortion groups, including the Scattered Spider (Octo Tempest) gang, as users of Storm-1152 services. The Scattered Spider group was previously linked to attacks targeting Okta customers and claimed responsibility for the attack on MGM Resorts.
A court order obtained by Microsoft on December 7 revealed that Scattered Spider hackers had committed «massive ransomware attacks against Microsoft’s flagship customers,» resulting in service disruptions and hundreds of millions of dollars in damages.
Storm-1152 services were reportedly used by other cybercriminal groups to attack not only Microsoft but also other technology companies such as X (formerly Twitter) and Google, causing damage to these companies and their customers.
It is important to note that combating cybercrime involves collaboration between technology companies, law enforcement and cybersecurity experts to identify and dismantle such operations.
