The Exploding Threat of Cybercrime-as-a-Service
CaaS businesses have dramatically lowered the barriers to entry for would-be digital attackers. Relatively unknown just a couple of years ago, they have erupted into a material threat and are responsible for roughly 80% of the attack traffic the Arkose Labs SOC team observes, according to David Mouatt, Vice President of Global Security Operations, Arkose Labs. These platforms sell tools, infrastructure, and even provide services like tech support and how-to guides to bad actors for conducting mass-scale, automated cyber attacks. They aid and abet the proliferation of the cybercriminal world.
The initial CaaS business built by Storm-1152 operated from AnyCaptcha.com, a destructive CAPTCHA solver service with a versatile business model. Not only did the company sell its technology like any other kind of software company – with pricing structures based upon a customer’s needs – but it also would perform fake account registration attacks, sell those fake accounts to other cybercriminals, and then cash out with crypto currency.
Storm-1152’s services are easily procured on the web, and frequently are used as the first step in illegal and illicit online activities, many of which lead to money laundering. In the spirit of sharing threat intelligence, we are disclosing our interactions with this CaaS business to help the cybersecurity community understand how these businesses work and to discover how their own platforms, sites, and apps might be targeted.
The Discovery of a New Cyberattacker
In the late summer of 2021, the Arkose Cyber Threat Intelligence Research (ACTIR) unit began observing signals and telltales that were the initial identifiers of the technical workings and traits of a major CAPTCHA solver service used in an attempt to bypass anti-bot security measures on Microsoft’s and other companies’ digital platforms.
These activities appeared to originate from Vietnam, which previously had been home to similar fraudulent activity on a smaller scale. The difference now, however, was that the effort was more systematic and appeared to stem from a cohesive threat actor group. Another notable difference was that previously identified solver services were primarily human fraud farms – and the activity ACTIR observed indicated one of the earliest ML-based solver approaches.
Just how did we discover the attacks? When bad actors attempt to log in or sign on to our customer accounts, our Arkose Bot Manager defense service detects anomalous activity, and introduces a challenge that requires suspect users to represent that they are a human being (not a bot) and verify the accuracy of that representation by solving various types of challenges.
ACTIR looks at various signals and intelligence captured during these interactions – collectively known as tactics, techniques, and procedures (TTPs) – identifying the specific patterns of activity and methods associated with these threat actors. You can think of them as the unique fingerprints of a particular attacker and their tools. The TTPs enabled our threat intelligence team to identify Storm-1152’s CAPTCHA solver service, initially known as AnyCaptcha.
AnyCaptcha, which also uses the aliases nonecaptcha and 1stCaptcha, also operates hotmailbox.me, making it one of the largest and most sophisticated attackers we’ve seen to date, in large part because of their persistence and the pace of their innovation. They were able to iterate quickly and consistently over the past two years, with an evolving strategy that pivoted from solving challenges through rote methods to evading detection by disguising their telltales in attempts to not be identified as malicious traffic. Hotmailbox.me was an additional pivot made to address the inability to provide their customers with a consistent solve service. This adaptability is what makes all CaaS businesses pernicious.
ACTIR began active engagement and defense against Storm-1152, deploying various tactics to block the group. As ACTIR applied pressure, Storm-1152 pivoted their business model and continued to make mistakes. When Arkose Labs identified and stopped Storm-1152 from attacking our customers, including Microsoft, the group shut down their AnyCAPTCHA.com domain and pivoted to 1stCAPTCHA.com to continue their attacks while trying to hide their history of failures. Again, ACTIR identified and stopped Storm-1152. It was clear AnyCaptcha’s loss of efficiency impacted their bottom line and their profits. Because we understood their TTPs and their business model, we were able to apply tuned pressure to counteract each new attack.
During this time, ACTIR identified and mitigated millions of these attacks on the Microsoft site, and worked to correctly classify and mitigate an even larger volume of threats across our customer network for enterprises operating in industries like financial services, gaming, social media, dating, etc. The unit’s work to gather, analyze, and feed intelligence further strengthened our bot detection and mitigation platform.
But our work doesn’t stop there. Inflicting real-world consequences on bad actors is vital to protecting the digital ecosystem and stopping the proliferation of attacks. To that end, we passed along our intelligence to support Microsoft's Digital Crimes Unit in identifying the real-world operation and people behind the solver service.
Working with Microsoft to Identify the Ringleaders
Microsoft, with insights from ACTIR, discovered that three individuals operated and wrote the code for the illicit websites, published detailed step-by-step instructions on how to use their products via video tutorials, and provided chat services to assist those using their fraudulent services. Refer to the Microsoft blog for details.
Microsoft filed a lawsuit against the individuals on behalf of its millions of customers who may have been targeted and harmed by the attacks. Arkose Labs is supporting Microsoft with our detailed evidence of the attacks. We are thankful for our relationship with Microsoft; they are a customer who uses our tech as part of their overall account registration defense strategy.
Next Steps
With today’s unsealing of the lawsuit, the court will have already authorized the seizure of websites associated with Storm-1152. A criminal referral has also been submitted to law enforcement.
The goal here is to prevent future attacks by disrupting the solver service's infrastructure, seizing domain names and other technical assets, and seeking to hold the perpetrators civilly and criminally liable.
While this case focuses on fraudulent Microsoft accounts, the CaaS websites impacted today also sold services to bypass security measures on other well-known technology platforms. One of our aims in sharing this information is to alert security ops professionals to potential sessions that should be examined and to warn those on the product side of the risk that a significant number of your customer accounts might be fake. Today’s action has a much broader impact, benefiting enterprises beyond Microsoft.
This is the power of a consortium. Together, we are able to federate the intelligence we see to stop these bad actors globally across multiple companies, quickly and permanently. If you are concerned that your business might be affected, please reach out to Arkose Labs for a discussion.
Refer to the Microsoft blog and Arkose Labs press release for more information.
###
Contact:
Jean Creech Avent
Global Head of Brand and Communications
Arkose Labs
[email protected]
+1 843-986-8229