Microsoft disrupts credentials marketplace, warns of gift card fraud, OAuth abuse


After a relatively quiet final Patch Tuesday of 2023, Microsoft published warnings this week about the potential for gift card fraud and hackers abusing a popular authentication technology.

Alongside the warnings, Microsoft said it recently used a court order to shut down a cybercrime marketplace where 750 million fraudulent Microsoft accounts were available for sale.

Cybercrime holidays

On Thursday, Microsoft warned of a threat actor it has named Storm-0539 launching attacks on retail organizations ahead of the holiday. Researchers have seen a “surge” in the group’s activity, the company said.

The tech giant previously spotlighted the hackers in November, calling them a “financially motivated group” that has been active since late 2021. The gang has a penchant for targeting retail organizations for gift card fraud and theft and “carries out extensive reconnaissance of targeted organizations in order to craft convincing phishing lures and steal user credentials and tokens for initial access.”

“The actor is well-versed in cloud providers and leverages resources from the target organization’s cloud services for post-compromise activities,” they said.

As the holiday season kicks into full gear, Microsoft said the group was ramping up its gift card attacks by using “highly sophisticated email and SMS phishing during the holiday shopping season.”

The gang uses fake login pages to steal credentials and uses that illicit access to gain further persistence in a victim’s system.

“With each successful compromise, Storm-0539 escalates privileges, moves laterally, and accesses cloud resources to collect specific information. Storm-0539 enumerates internal resources and identifies gift card-related services that can be used for gift card fraud,” the company’s researchers said on Thursday.

“In addition to gift card fraud, Storm-0539 collects additional information, including emails, contact lists, and network configurations for future attacks against the same organization.”

Groups assigned the word “Storm” by Microsoft tend to represent a “newly discovered, unknown, emerging, or developing cluster of threat activity.”

Takedown of Vietnam-based credential sellers

Alongside the holiday season warnings, Microsoft announced this week that it obtained a court order to seize the U.S.-based infrastructure of a cybercriminal group running several websites that sold access to approximately 750 million fraudulent Microsoft-branded accounts, earning the group millions of dollars in illicit revenue.

On December 7, Microsoft got a court order from the Southern District of New York allowing it to take down the fraudulent Microsoft Outlook account marketplace as well as several websites — 1stCAPTCHA, AnyCAPTCHA, and NoneCAPTCHA — that “facilitate the tooling, infrastructure, and selling of the CAPTCHA solve service to bypass the confirmation of use and account setup by a real person.”

“These sites sold identity verification bypass tools for other technology platforms,” said Amy Hogan-Burney, associate general counsel at Microsoft.

Hogan-Burney said Microsoft worked with researchers at the Arkose Cyber Threat Intelligence Research unit, who provided more insight into the group’s operations — allowing them to identify three Vietnamese nationals as the culprits behind the group.

Duong Dinh Tu, Linh Van Nguyễn (also known as Nguyễn Van Linh), and Tai Van Nguyen were all named in the lawsuit. Microsoft said it has submitted a criminal referral to U.S. law enforcement about their activities.

“Our findings show these individuals operated and wrote the code for the illicit websites, published detailed step-by-step instructions on how to use their products via video tutorials and provided chat services to assist those using their fraudulent services,” she explained, calling the group “Storm-1152.”

The websites sold fraudulent Microsoft accounts and tools to bypass identity verification software across well-known technology platforms — reducing the time and effort needed for criminals to conduct a host of criminal and abusive behaviors online.

Hackers and cybercriminals need fraudulent accounts to prop up their automated activities, according to Microsoft. As companies get better at shutting down fraudulent accounts, cybercriminals need more and more in order to facilitate attacks.

Storm-1152 and other groups allow hackers to simply buy the accounts instead of wasting time creating them.

“Microsoft Threat Intelligence has identified multiple groups engaged in ransomware, data theft and extortion that have used Storm-1152 accounts. For example, Octo Tempest, also known as Scattered Spider, obtained fraudulent Microsoft accounts from Storm-1152,” she said.

“Octo Tempest is a financially motivated cybercrime group that leverages broad social engineering campaigns to compromise organizations across the globe with the goal of financial extortion. Microsoft continues to track multiple other ransomware or extortion threat actors that have purchased fraudulent accounts from Storm-1152 to enhance their attacks, including Storm-0252 and Storm-0455.”

Microsoft also worked with Arkose Labs to create a new CAPTCHA defense tool that forces people to prove they are a human being.

Ngoc Bui, a cybersecurity expert at Menlo Security, told Recorded Future News that the action by Microsoft highlighted the “often-overlooked technical capabilities and cybercrime activities originating from countries like Vietnam.”

OAuth misuse

On Tuesday, Microsoft warned that hackers are abusing a popular authentication tool and costing organizations millions of dollars through their actions.

The blog focused on OAuth — a standard that allows applications to get access to data and resources based on permissions set by a user.

Hackers have been able to “compromise user accounts to create, modify, and grant high privileges to OAuth applications that they can misuse to hide malicious activity.”

Microsoft said it saw a hacker it tracks as Storm-1283 use a compromised account to create an OAuth application that allowed them to deploy crypto mining tools.

“Targeted organizations incurred compute fees ranging from $10,000 to $1.5 million USD from the attacks, depending on the actor’s activity and duration of the attack,” Microsoft said.

“Storm-1283 looked to maintain the setup as long as possible to increase the chance of successful cryptomining activity.”

The abuse of OAuth allows hackers to maintain their access to applications “even if they lose access to the initially compromised account.”

Several attacks tracked by Microsoft saw threat actors use phishing attacks or password spraying to compromise a user account and elevate their privileges to “deploy virtual machines (VMs) for cryptocurrency mining, establish persistence following business email compromise (BEC), and launch spamming activity using the targeted organization’s resources and domain name.”

Get more insights with the

Recorded Future

Intelligence Cloud.

Learn more.

No previous article

No new articles

Jonathan Greig is a Breaking News Reporter at Recorded Future News. Jonathan has worked across the globe as a journalist since 2014. Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.


Leave a Reply

Your email address will not be published. Required fields are marked *

Previous Post

Microsoft disrupts credentials marketplace, warns of gift card fraud, OAuth abuse

Next Post

Ontario public library shuts down most services due to cyberattack

Related Posts

Malicious npm Packages Found Using Image Files to Hide Backdoor Code

Cybersecurity researchers have identified two malicious packages on the npm package registry that concealed backdoor code to execute malicious commands sent from a remote server. The packages in question – img-aws-s3-object-multipart-copy and legacyaws-s3-object-multipart-copy – have been downloaded 190 and 48 times each. As of writing, they have been taken down by the npm security team. "They
Read More

Practical Guidance For Securing Your Software Supply Chain

The heightened regulatory and legal pressure on software-producing organizations to secure their supply chains and ensure the integrity of their software should come as no surprise. In the last several years, the software supply chain has become an increasingly attractive target for attackers who see opportunities to force-multiply their attacks by orders of magnitude. For example, look no
Read More

Network Threats: A Step-by-Step Attack Demonstration

Follow this real-life network attack simulation, covering 6 steps from Initial Access to Data Exfiltration. See how attackers remain undetected with the simplest tools and why you need multiple choke points in your defense strategy. Surprisingly, most network attacks are not exceptionally sophisticated, technologically advanced, or reliant on zero-day tools that exploit
Read More