Microsoft seizes domain used by Vietnamese group to sell fake accounts, services 

Microsoft on Wednesday seized another domain used by a trio of people based in Vietnam who were selling fraudulent accounts and services to bypass CAPTCHA puzzles, according to court documents unsealed late Wednesday. 

The seizure of a single domain — rockcaptcha[.]com — comes six months after a federal court authorized Microsoft to seize domains and infrastructure operated by the same group that was responsible for creating roughly 750 million fraudulent Microsoft accounts and CAPTCHA bypass services that were then used to facilitate a bevy of cybercrime activities, Microsoft said at the time.

Microsoft identified three Vietnamese citizens as being behind the operations and tracked the activity under the name “Storm-1152.” Accounts purchased from Storm-1152 were used as part of ransomware attacks and data theft and extortion, including activities emanating from the Scattered Spider ecosystem, Amy Hogan-Burney, Microsoft’s general manager and associate general counsel for cybersecurity policy and protection, wrote in a blog post at the time.

Investigators with Microsoft’s Digital Crimes Unit recently found a blog post, written in Vietnamese, discussing how that disruption significantly impacted the previous services, according to a court filing written by Jason Lyons, principal manager of investigations in the DCU. The blog post, published Jan. 29, 2024, unveiled a new website that offered essentially the same services. 

“My team has more than 15 years of experience in AI research (can be said to be the first generation), can create AI models to process a series of captchas at super fast speed and high accuracy rate,” the post read, according to machine translation. “In addition to AI, our team is also confident in being able to reverse-engineer all types of source code and be self-sufficient in all aspects of technology. With the above strengths, rockcaptcha.com is confident in bringing you a truly smooth service experience as well as reasonable prices.”

The authors of the post are the same people responsible for the previous operation that generated 750 million fraudulent Microsoft accounts, Lyons said. The reconstituted operation operated “on a much lesser scale, with far fewer customers,” Lyons said in the filing, but seizing the domain was important because it would “further frustrate Defendants’ efforts to maintain and add customers, weaken their credibility in the marketplace, and ultimately cause the Fraudulent Enterprise to fail.”

The operation generated roughly 1 million new Microsoft accounts per week prior to the December 2023 disruption, a Microsoft spokesperson said. Since December, Storm-1152 generated about 1 million accounts total.

A federal judge in the Southern District of New York approved the seizure on July 23, according to a court filing.

Microsoft identified three people as leading the operation: Duong Dinh Tu, Linh Van Nguyen and Tai Van Nguyen. A request for comment sent to an email associated with the alleged perpetrators was not returned.

Vietnam is “becoming more of a hub for these types of services,” Maurice Mason, a senior investigator in the DCU, told CyberScoop in a recent interview. While there are a variety of groups in the region offering similar services, the Microsoft investigation determined that “this group was most notorious, like they were the one that was actually getting the most services.”

Sean Farrell, lead counsel of cybercrime enforcement with the DCU, told CyberScoop that the initial takedown and ongoing monitoring of Storm-1152 highlights the service nature of the cybercrime ecosystem, with people willing to sell all manner of services to facilitate all kinds of cybercrime.

Farrell added that the activity marks an early example of artificial intelligence used to facilitate cybercrime, as the operators were employing AI to solve CAPTCHA puzzles — which are used to reduce inauthentic, spammy behavior — in an automated fashion. Additionally, fraudulent Microsoft accounts could also be used to give cyber criminals access to other AI resources, including from Microsoft, he said, so slowing them down is a net benefit.

“It may not look like it on its face, and I think people think of something grander or sexier, but these are the earliest indications of what actors are going to be able to do to lower that cost and the barrier to entry to cybercrime even further,” Farrell said.