Microsoft secured a court order to seize and take down websites used by a group that it describes as the “number one seller and creator of fraudulent Microsoft accounts,” which deployed bots capable of tricking the CAPTCHA systems normally used to confirm that humans are creating accounts.
The group, which Microsoft calls Storm-1152, also routinely circumvented the authentication systems of other major technology companies, including Twitter (X) and Google, according to a Microsoft complaint unsealed Wednesday afternoon in the U.S. District Court for the Southern District of New York.
The group “represents a significant industry-wide problem,” the complaint says.
Bots deployed by Storm-1152 were responsible for about 750 million fraudulent Microsoft accounts, the company said. One reason they needed to create so many was that the company’s fraud detection systems identified and disabled the accounts quickly, often in a matter of hours after they were created.
“We are sending a strong message to those who seek to create, sell or distribute fraudulent Microsoft products for cybercrime: We are watching, taking notice and will act to protect our customers,” said Amy Hogan-Burney, Microsoft GM and associate general counsel for cybersecurity policy and protection, in a post.
The group has been engaged in the scheme to circumvent CAPTCHA since 2021, according to the complaint, which describes the group’s general approach without going into deep technical detail. CAPTCHA stands for “Completely Automated Public Turing test to tell Computers and Humans Apart.”
Cybercriminal groups used email accounts created by Storm-1152 to launch phishing campaigns, ransomware attacks, and other criminal activities, Microsoft said in the complaint.
One of the criminal groups, dubbed Octo Tempest, “recently committed massive ransomware attacks against flagship Microsoft customers that infected the computer systems of those customers with ransomware which disabled critical operational systems, resulting in service disruptions that inflicted hundreds of millions of dollars of damage,” according to the complaint.
The complaint named three residents of Vietnam as defendants: Duong Dinh Tu, Linh Van Nguyễn (also known as Nguyễn Van Linh), and Tai Van Nguyen.
Microsoft credited cybersecurity defense and bot management vendor Arkose Labs for providing “valuable threat intelligence insights” that led to the detection and disruption of the group. The company says it’s also working with Arkose to deploy a next-generation CAPTCHA defense solution.