Microsoft announced a significant victory in the ongoing battle against cybercrime, securing a court order to dismantle the infrastructure established by Storm-1152.
This group, operating since at least 2021, specialized in trafficking approximately 750 million fraudulent Microsoft accounts and associated tools.
The elaborate network operated through deceptive websites and social media channels, contributing to a criminal ecosystem that reaped millions in illicit gains.
Gateway to Cybercrime
Amy Hogan-Burney, Microsoft’s Associate General Counsel for Cybersecurity Policy and Protection, emphasized the pivotal role fraudulent online accounts play as gateways to a spectrum of cybercrimes.
These activities range from mass phishing and identity theft to fraud and distributed denial-of-service (DDoS) attacks.
Cybercrime-as-a-Service (CaaS) Model
Microsoft described Storm-1152’s offerings as a form of Cybercrime-as-a-Service (CaaS), strategically designed to circumvent identity verification software across diverse technology platforms.
This approach streamlined the execution of malicious activities such as phishing, spamming, ransomware, and fraud, effectively lowering entry barriers for potential attackers.
Reducing Effort, Amplifying Impact
The collaboration between Microsoft and Arkose Labs revealed that Storm-1152’s services were instrumental in supporting various threat actors, including Octo Tempest, Storm-0252, and Storm-0455.
These actors utilized fraudulent accounts to orchestrate ransomware attacks, data theft, and extortion schemes.
Identifying Key Players
Microsoft’s investigation, conducted in collaboration with Arkose Labs, successfully identified three individuals in Vietnam crucial to developing and maintaining Storm-1152’s infrastructure.
The key players include Duong Dinh Tu, Linh Van Nguyễn (also known as Nguyễn Van Linh), and Tai Van Nguyen.
Illicit Operations and Code Development
The individuals not only operated and maintained the illicit websites but also played a pivotal role in code development.
They provided detailed step-by-step instructions through video tutorials and offered chat services to assist users engaging in fraudulent activities.
BazaCall Phishing Tactics
Recent observations reveal a new layer of sophistication in the BazaCall phishing attacks, as threat actors employ Google Forms to enhance the credibility of their schemes.
This method is a strategic move to heighten the perceived legitimacy of malicious emails, as disclosed by cybersecurity firm Abnormal Security in a report released today.
BazaCall Overview
BazaCall, also known as BazarCall, emerged on the cybersecurity radar in late 2020. It involves phishing attacks where deceptive email messages, masquerading as genuine subscription notices, prompt recipients to contact a purported support desk urgently.
The aim is to dispute or cancel a fictitious subscription plan, threatening charges ranging from $50 to $500.
Manipulation of Urgency
The attackers skillfully induce a false sense of urgency, pushing targets to engage in a phone call.
During these calls, victims are convinced to grant remote access using desktop software under the guise of receiving assistance to cancel the supposed subscription.
Popular Services Impersonated
The deceptive emails often impersonate well-known services, including Netflix, Hulu, Disney+, Masterclass, McAfee, Norton, and GeekSquad.
Google Forms’ Strategic Advantage
The use of Google Forms proves strategic as responses are sent from the trusted domain “forms-receipts-noreply@google[.]com.” This choice increases the chances of bypassing secure email gateways.
The dynamic nature of Google Forms’ URLs also adds a layer of evasion, eluding traditional security measures relying on static analysis and signature-based detection.
Evolving Threat Landscape
New Phishing Campaign
Proofpoint has exposed a new phishing campaign targeting recruiters with direct emails, leading to the deployment of the More_eggs JavaScript backdoor.
This campaign, attributed to the skilled threat actor TA4557, focuses on delivering the More_eggs backdoor via emails that initially seem like job offers.
Advanced Techniques Deployed
The attackers employ sophisticated tactics, including direct emails that lead recipients to URLs posing as candidate resumes or attachments containing instructions to visit fake resume websites.
More_eggs: Malware-as-a-Service
More_eggs, identified as malware-as-a-service, has ties to prominent cybercriminal groups such as Cobalt Group, Evil Num, and FIN6.
Its usage in various campaigns highlights the adaptability and accessibility of this malicious tool.
Trusted Sources to Cyber Hooks!
The cybersecurity landscape is witnessing a dynamic evolution in phishing tactics, with threat actors leveraging trusted platforms like Google Forms to amplify their schemes.
As the battle against cyber threats intensifies, staying informed about these evolving strategies becomes essential for all.