Microsoft disrupted an alleged threat actor group that built viable cybercrime-as-a-service (CaaS) businesses. Dubbed Storm-1152 by Microsoft, the group bilked enterprises and consumers globally out of millions of dollars.
Images of Storm-1152’s illicit websites. Source: Microsoft
Cybercrime-as-a-service is a model where adversaries with superior skills build attack tools, like automated bots, to sell to other fraudsters who may not be as technically adept, increasing the opportunity and reach for cybercrime and fraud. CaaS businesses encourage and enable more people to commit fraud at a volume and velocity that can overwhelm even experienced internal security operation center (SOC) teams. CaaS is in part responsible for the 167 percent increase in bot attacks this year, according to Arkose Labs.
“Storm-1152 is a formidable foe established with the sole purpose of making money by empowering adversaries to commit complex attacks,” said Kevin Gosschalk, CEO at Arkose Labs. “The group is distinguished by the fact that it built its CaaS business in the light of day versus on the dark web. Storm-1152 operated as a typical internet-going concern, providing training for its tools and even offering full customer support. In reality, Storm-1152 was an unlocked gateway to serious fraud.”
The group’s CaaS business initially sold fraudsters ready-made, rote solver services for CAPTCHAs, which are the most effective security technology solutions to distinguish malicious bot attacks from genuine human consumers’ activities.
Storm-1152 promoted that its solvers could bypass any CAPTCHA, enabling fraudsters to abuse the online environments of Microsoft and enterprises in other industries. It later pivoted its business model, deploying bots to register phony Microsoft accounts using fictitious usernames and then selling the fake accounts in bulk to other fraudsters so that they could use the accounts for a wide variety of online attacks, like phishing, malware, romance scams, in-product abuse, etc.
Storm-1152 earned millions of dollars through these illicit activities, predicate offenses to financial crimes like money laundering.
The Arkose Cyber Threat Intelligence Research (ACTIR) unit first detected Storm-1152 in August 2021, pinpointing its whereabouts in Vietnam. “ACTIR observed anomalies in Microsoft account-creation traffic, including creating accounts at a scale so large, fast, and efficient that it could have only been carried out through automated, machine-learning technology versus human actions,” said Arkose Labs Chief Customer Officer Patrice Boffa.