Microsoft’s Digital Crimes Unit coordinated the seizure of 338 domains used by RaccoonO365, a financially motivated threat group that developed and sold phishing kits that have been used to steal more than 5,000 Microsoft credentials since July 2024, the company said Tuesday. 

The threat group, which Microsoft tracks as Storm-2246, enabled cybercriminals to steal credentials from organizations spanning 94 countries, making it the “fastest-growing tool used by cybercriminals to steal Microsoft 365 usernames and passwords,” Steven Masada, assistant general counsel at Microsoft’s DCU said in a blog post. 

RaccoonO365 services were used indiscriminately to target more than 2,300 U.S. organizations in a tax-themed phishing campaign earlier this year. Its kits, which use Microsoft branding for fraudulent emails, attachments and websites, have also been used against at least 20 U.S. health care organizations, according to Microsoft. 

“The rapid development, marketing, and accessibility of services like RaccoonO365 indicate that we are entering a troubling new phase of cybercrime where scams and threats are likely to multiply exponentially,” Masada said.

Microsoft, acting on a court order granted by the U.S. District Court for the Southern District of New York, worked with Cloudflare to seize and take down RaccoonO365’s infrastructure. The company also worked with Chainalysis to trace the threat group’s cryptocurrency transactions, allowing it to attribute malicious online activity to real identities.

Microsoft accuses Joshua Ogundipe of Nigeria of running the criminal enterprise, which sold phishing kits to a community base of more than 850 members on Telegram. Ogundipe and his associates have received at least $100,000 in cryptocurrency payments, reflecting an estimate of up to 200 subscriptions. 

“During the investigation, the DCU engaged directly with the threat actor without disclosing our identity to acquire the phishing kits,” Maurice Mason, principal cybercrime investigator at Microsoft’s DCU, said in a Q&A with Chainalysis. 

In a separate purchase, the alleged cybercriminal inadvertently shared a cryptocurrency wallet address for payment that allowed investigators to trace the funds to a wallet hosted on a Nigeria-based cryptocurrency exchange previously linked to Ogundipe, Mason added. 

Microsoft said Ogundipe has a background in computer programming and accused him of writing the majority 

of the code for the subscription-based phishing service, which allows cybercriminals to send up to 9,000 phishing emails per day. Investigators said RaccoonO365 may have facilitated the transmission of hundreds of millions of malicious emails. 

Microsoft, which sent a criminal referral for Ogundipe to international law enforcement, also addressed continued discontent with persisting legal challenges. 

“Today’s patchwork of international laws remains a major obstacle and cybercriminals exploit these gaps,” Masada said. “Governments must work together to align their cybercrime laws, speed up cross-border prosecutions and close the loopholes that let criminals operate with impunity.”

RaccoonO365’s kits sent emails to victims with malicious attachments, links or QR codes that redirected users to a fake Microsoft O365 login page to harvest credentials, Cloudflare researchers said in a blog post. When victims entered credentials, the kit allowed attackers to capture the password and resulting session cookie, bypassing multifactor authentication.

The codebase included functions for anti-analysis and evasion, user-agent filtering, security vendor evasion, network-level blocking and dynamic traffic routing, according to Cloudflare.

The phishing emails were often a precursor to malware and ransomware, yet not every stolen credential led to compromised networks or fraud, according to Microsoft. The company said it always expects cybercriminals to try to rebuild operations after a takedown and pledged to take additional steps to dismantle any new or reemerging infrastructure.

The post Microsoft seizes hundreds of phishing sites tied to massive credential theft operation appeared first on CyberScoop.

French authorities extradited a 39-year-old Nigerian national to the United States Monday for allegedly hacking into tax preparation businesses and participating in a years-long conspiracy to defraud the Internal Revenue Service and state tax agencies.

Chukwuemeka Victor Amachukwu and his Nigeria-based co-conspirators, including Kinglsey Uchelue Utulu, are accused of obtaining about $2.5 million in fraudulent tax refunds from 2019 to 2023, the Justice Department said Tuesday. The conspirators sought fraudulent tax refunds of at least $8.4 million, according to prosecutors.

“Amachukwu allegedly operated multiple illicit fraud schemes — identity theft, computer intrusions via spearphishing, and false investments — profiting at the costs of others,” said FBI Assistant Director in Charge Christopher G. Raia said in a statement.

Prosecutors accuse Amachukwu and his co-conspirators of accessing computer systems of tax preparation businesses in New York, Texas and other states via spearphishing emails. The cybercrime crew allegedly filed false tax returns with federal and state authorities using identities stolen from the victim organizations. 

In one of those attacks, in May 2021, members of the conspiracy sent a spearfishing email to an employee of a New York-based tax preparation business, which infected the firm’s computer systems with malware, according to an unsealed indictment.

Authorities said Amachukwu and his co-conspirators also used the stolen identities to file fraudulent claims with the Small Business Administration’s Economic Injury Disaster Loan program, obtaining at least $819,000 in payouts.

Amachukwu faces up to 47 years in prison for multiple charges, including conspiracy to commit computer intrusions, two counts of conspiracy to commit wire fraud, two counts of wire fraud and aggravated identity theft.

“Amachukwu also allegedly took part in a separate fraud scheme that promised his victims valuable investments that did not in fact exist,” U.S. Attorney Jay Clayton said in a statement. Officials said Amachukwu stole millions of dollars of his victims’ money from this scheme.

The FBI, Justice Department’s Office of International Affairs and the U.S. Marshals Service assisted the investigation, which led to Amachukwu’s arrest and extradition from France.

The post Nigerian accused of hacking tax preparation businesses extradited to US appeared first on CyberScoop.