Arkose Labs, the global leader in bot management and online account security, today announced that threat intelligence from the company was provided to support Microsoft in the disruption of an alleged threat actor group that built viable cybercrime-as-a-service (CaaS) businesses. Dubbed Storm-1152 by Microsoft, the group bilked enterprises and consumers globally out of millions of dollars.
Cybercrime-as-a-service is a model where adversaries with superior technical, developer skills build attack tools, like automated bots, to sell to other fraudsters who may not be as technically adept, increasing the opportunity and reach for cybercrime and fraud. CaaS businesses encourage and enable more people to commit fraud at a volume and velocity that can overwhelm even experienced internal security operation center (SOC) teams. CaaS is in part responsible for the 167 percent increase in bot attacks this year, according to Arkose Labs’ latest threat landscape analysis.
“Storm-1152 is a formidable foe established with the sole purpose of making money by empowering adversaries to commit complex attacks,” said Kevin Gosschalk, founder and CEO, Arkose Labs. “The group is distinguished by the fact that it built its CaaS business in the light of day versus on the dark web. Storm-1152 operated as a typical internet going-concern, providing training for its tools and even offering full customer support. In reality, Storm-1152 was an unlocked gateway to serious fraud.”
The group’s CaaS business initially sold fraudsters ready-made, rote solver services for CAPTCHAs, which are the most effective security technology solutions to distinguish malicious bot attacks from genuine human consumers’ activities. Storm-1152 promoted that its solvers could bypass any type of CAPTCHA, enabling fraudsters to abuse the online environments of Microsoft and enterprises in other industries. It later pivoted its business model, deploying bots to register phony Microsoft accounts using fictitious usernames and then selling the fake accounts in bulk to other fraudsters so that they could use the accounts for a wide variety of online attacks, like phishing, malware, romance scams, in-product abuse, etc. Storm-1152 earned millions of dollars through these illicit activities, which are predicate offenses to financial crimes like money laundering.
The Arkose Cyber Threat Intelligence Research (ACTIR) unit first detected Storm-1152 in August 2021, pinpointing its whereabouts to Vietnam. “I’m incredibly proud of our threat intelligence team,” said Arkose Labs Chief Customer Officer Patrice Boffa. “ACTIR observed anomalies in Microsoft account-creation traffic, including the creation of accounts at a scale so large, fast, and efficient that it could have only been carried out through automated, machine-learning technology versus human actions. ACTIR then collaborated with our product team to enhance our solutions to run up Storm-1152’s attack effort, thus the cost.”
“No disruption is a one and done,” said Amy Hogan-Burney, Associate General Counsel, Cybersecurity Policy & Protection. “While today’s legal action will impact Storm-1152’s operations, we expect other threat actors will adapt their techniques as a result.
Going after cybercrime therefore requires persistence, collaboration and ongoing vigilance to disrupt new malicious infrastructure.”
www.arkoselabs.com
www.americanbanker.com
