Microsoft disrupts credentials marketplace, warns of gift card fraud, OAuth abuse
After a relatively quiet final Patch Tuesday of 2023, Microsoft published warnings this week about the potential for gift card fraud and hackers abusing a popular authentication technology.
Alongside the warnings, Microsoft said it recently used a court order to shut down a cybercrime marketplace where 750 million fraudulent Microsoft accounts were available for sale.
Cybercrime holidays
On Thursday, Microsoft warned of a threat actor it has named Storm-0539 launching attacks on retail organizations ahead of the holiday. Researchers have seen a “surge” in the group’s activity, the company said.
The tech giant previously spotlighted the hackers in November, calling them a “financially motivated group” that has been active since late 2021. The gang has a penchant for targeting retail organizations for gift card fraud and theft and “carries out extensive reconnaissance of targeted organizations in order to craft convincing phishing lures and steal user credentials and tokens for initial access.”
“The actor is well-versed in cloud providers and leverages resources from the target organization’s cloud services for post-compromise activities,” they said.
As the holiday season kicks into full gear, Microsoft said the group was ramping up its gift card attacks by using “highly sophisticated email and SMS phishing during the holiday shopping season.”
The gang uses fake login pages to steal credentials and uses that illicit access to gain further persistence in a victim’s system.
“With each successful compromise, Storm-0539 escalates privileges, moves laterally, and accesses cloud resources to collect specific information. Storm-0539 enumerates internal resources and identifies gift card-related services that can be used for gift card fraud,” the company’s researchers said on Thursday.
“In addition to gift card fraud, Storm-0539 collects additional information, including emails, contact lists, and network configurations for future attacks against the same organization.”
Groups assigned the word “Storm” by Microsoft tend to represent a “newly discovered, unknown, emerging, or developing cluster of threat activity.”
Takedown of Vietnam-based credential sellers
Alongside the holiday season warnings, Microsoft announced this week that it obtained a court order to seize the U.S.-based infrastructure of a cybercriminal group running several websites that sold access to approximately 750 million fraudulent Microsoft-branded accounts, earning the group millions of dollars in illicit revenue.
On December 7, Microsoft got a court order from the Southern District of New York allowing it to take down the fraudulent Microsoft Outlook account marketplace Hotmailbox.me as well as several websites — 1stCAPTCHA, AnyCAPTCHA, and NoneCAPTCHA — that “facilitate the tooling, infrastructure, and selling of the CAPTCHA solve service to bypass the confirmation of use and account setup by a real person.”
“These sites sold identity verification bypass tools for other technology platforms,” said Amy Hogan-Burney, associate general counsel at Microsoft.
Hogan-Burney said Microsoft worked with researchers at the Arkose Cyber Threat Intelligence Research unit, who provided more insight into the group’s operations — allowing them to identify three Vietnamese nationals as the culprits behind the group.
Duong Dinh Tu, Linh Van Nguyễn (also known as Nguyễn Van Linh), and Tai Van Nguyen were all named in the lawsuit. Microsoft said it has submitted a criminal referral to U.S. law enforcement about their activities.
“Our findings show these individuals operated and wrote the code for the illicit websites, published detailed step-by-step instructions on how to use their products via video tutorials and provided chat services to assist those using their fraudulent services,” she explained, calling the group “Storm-1152.”
The websites sold fraudulent Microsoft accounts and tools to bypass identity verification software across well-known technology platforms — reducing the time and effort needed for criminals to conduct a host of criminal and abusive behaviors online.
Hackers and cybercriminals need fraudulent accounts to prop up their automated activities, according to Microsoft. As companies get better at shutting down fraudulent accounts, cybercriminals need more and more in order to facilitate attacks.
Storm-1152 and other groups allow hackers to simply buy the accounts instead of wasting time creating them.
“Microsoft Threat Intelligence has identified multiple groups engaged in ransomware, data theft and extortion that have used Storm-1152 accounts. For example, Octo Tempest, also known as Scattered Spider, obtained fraudulent Microsoft accounts from Storm-1152,” she said.
“Octo Tempest is a financially motivated cybercrime group that leverages broad social engineering campaigns to compromise organizations across the globe with the goal of financial extortion. Microsoft continues to track multiple other ransomware or extortion threat actors that have purchased fraudulent accounts from Storm-1152 to enhance their attacks, including Storm-0252 and Storm-0455.”
Microsoft also worked with Arkose Labs to create a new CAPTCHA defense tool that forces people to prove they are a human being.
Ngoc Bui, a cybersecurity expert at Menlo Security, told Recorded Future News that the action by Microsoft highlighted the “often-overlooked technical capabilities and cybercrime activities originating from countries like Vietnam.”
OAuth misuse
On Tuesday, Microsoft warned that hackers are abusing a popular authentication tool and costing organizations millions of dollars through their actions.
The blog focused on OAuth — a standard that allows applications to get access to data and resources based on permissions set by a user.
Hackers have been able to “compromise user accounts to create, modify, and grant high privileges to OAuth applications that they can misuse to hide malicious activity.”
Microsoft said it saw a hacker it tracks as Storm-1283 use a compromised account to create an OAuth application that allowed them to deploy crypto mining tools.
“Targeted organizations incurred compute fees ranging from $10,000 to $1.5 million USD from the attacks, depending on the actor’s activity and duration of the attack,” Microsoft said.
“Storm-1283 looked to maintain the setup as long as possible to increase the chance of successful cryptomining activity.”
The abuse of OAuth allows hackers to maintain their access to applications “even if they lose access to the initially compromised account.”
Several attacks tracked by Microsoft saw threat actors use phishing attacks or password spraying to compromise a user account and elevate their privileges to “deploy virtual machines (VMs) for cryptocurrency mining, establish persistence following business email compromise (BEC), and launch spamming activity using the targeted organization’s resources and domain name.”
Jonathan Greig
is a Breaking News Reporter at Recorded Future News. Jonathan has worked across the globe as a journalist since 2014. Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.