Microsoft and Cloudflare have disrupted a Phishing-as-a-Service operation selling the RaccoonO365 kit for stealing Microsoft 365 account credentials.
“Using a court order granted by the Southern District of New York, [we] seized 338 websites associated with the popular service, disrupting the operation’s technical infrastructure and cutting off criminals’ access to victims,” announced Steven Masada, Assistant General Counsel at Microsoft’s Digital Crimes Unit (DCU).
Who is behind RaccoonO365?
RaccoonO365 (aka Storm-2246) sold pre-packaged, subscription-based phishing kits, which allowed low-skilled attackers to send out emails impersonating trusted brands like DocuSign, SharePoint, Adobe, and Maersk and set up fake, Microsoft-branded login pages to capture authentication credentials and cookies.
“When the victim enters their credentials, the kit acts as an adversary-in-the-middle, proxying the authentication flow to Microsoft’s servers and allowing the attacker to capture not only the password but also the resulting session cookie, effectively bypassing MFA,” Cloudflare noted.
A phishing page set up by a RaccoonO365 customer (Source: Cloudflare)
Microsoft secretly purchased the phishing kits and the instructions from the group, and this allowed them to track the cryptocurrency transactions of the group.
An operational security lapse by the threat actors – namely, their inadvertent disclosure of a secret cryptocurrency wallet – helped Microsoft understand the group’s operations and, ultimately, put a name to the RaccoonO365 group’s leader: Joshua Ogundipe.
The Nigeria-based man, along with his associates, uses Telegram to market the service/tool via a private channel.
“Based on Microsoft’s analysis, Ogundipe has a background in computer programming and is believed to have authored the majority of the code.”
Two of the other defendants provide administrative and technical support and help sell the service, while the other two are cybercriminals who purchased the Raccoom0365 phishing kit, registered a new phishing domains, and incorporated it into the group’s technical infrastructure.
In August, Microsoft filed a lawsuit against Ogundipe and four unnamed associates, who remain at large.
What’s next?
Cloudflare says that the RaccoonO365 platform operates on a tiered pricing model with offerings structured to appeal to a range of criminals.
“Plans are sold in various durations, such as a 30-day plan for $355 and a 90-day plan for $999. The service exclusively accepts cryptocurrencies, including USDT (TRC20, BEP20, Polygon) and Bitcoin (BTC),” the company explained.
So far, the group has “earned” at least $100,000 through their criminal enterprise, and continues evolving its offering. The latest advertised addition is RaccoonO365 AI-MailCheck, designed to scale operations and increase the effectiveness of attacks.
“A criminal referral for Ogundipe has been sent to international law enforcement,” Masada added, and noted that filing a lawsuit is just the start.
“We always expect actors to try to rebuild their operations. That means the DCU will continue to take additional legal steps in the case to dismantle any new or reemerging infrastructure,” he noted.
Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!
Source link
