*

Microsoft ( MSFT ) obtained court order to seize domains

*

Raccoon0365 targeted over 2,300 organizations with

tax-themed

phishing campaigns in February

*

Operators generated $100,000 in cryptocurrency since July

2024,

Microsoft ( MSFT ) says

By AJ Vicens

Sept 16 (Reuters) - Microsoft Inc said on Tuesday that

it seized nearly 340 websites tied to a rapidly growing

Nigerian-based service that allowed users to carry out phishing

operations that stole at least 5,000 Microsoft ( MSFT ) user credentials.

Microsoft ( MSFT ) obtained an order from the U.S. District

Court in Manhattan earlier this month to seize domains

associated with Raccoon0365, the subscription service that

allowed users to carry out massive phishing campaigns, which

sometimes involved thousands of emails at a time, according to

Steven Masada, assistant general counsel for Microsoft's ( MSFT ) Digital

Crimes Unit.

Raccoon0365's service, which operates through a private

Telegram channel with more than 850 subscribers, enables users

to impersonate trusted brands and get targets to enter Microsoft ( MSFT )

login credentials on phony Microsoft ( MSFT ) login pages, Masada said in

a blog posted on Microsoft's ( MSFT ) website.

The service has generated for its small group of operators at

least $100,000 in cryptocurrency payments since launching in

July 2024, Masada said in the blog.

Microsoft ( MSFT ) said the seizure of the websites occurred over a

period of days earlier this month.

Microsoft ( MSFT ) identified Nigeria-based Joshua Ogundipe as the leader

and main operator of Raccoon0365. Ogundipe did not immediately

respond to an email request for comment sent to the email

address identified by Microsoft ( MSFT ) in its court filing.

"Cybercriminals don't need to be sophisticated to cause

widespread harm," Masada said. "Simple tools like Raccoon0365

make cybercrime accessible to virtually anyone, putting millions

of users at risk."

Raccoon0365 subscribers have targeted a wide swath of

industries, Masada said, and separate court filings allege that

"a significant portion" of Raccoon0365 activity targets

organizations based in New York City.

Masada said Microsoft ( MSFT ) identified what it said was a

Raccoon0365-related effort using tax-themed phishing emails to

target more than 2,300 organizations, mostly in the U.S.,

between February 12 and February 28 this year, according to a

company blog posted in April.

Errol Weiss, chief security officer of the Health Information

Sharing & Analysis Center (Health-ISAC), which provides

cybersecurity services to member health organizations and is a

co-plaintiff alongside Microsoft ( MSFT ), said Raccoon0365 has been

linked to successful credential harvesting through phishing

campaigns at at least five unnamed healthcare organizations,

while targeting 25 health sector organizations overall.

Once hackers gain that access, any number of things can happen,

Weiss said.

"So many of the attacks start because somebody gave up their

user name and password to a bad guy," Weiss said in an

interview. "Once that cybercriminal has access to the network,

then it's just up to the imagination in terms of what comes next

and how they monetize it."

The Raccoon0365 operators used services provided by Cloudflare

to help hide the service's backend infrastructure, the internet

services firm said in its own blog post. Cloudflare worked with

Microsoft ( MSFT ) and the U.S. Secret Service to disrupt Raccoon0365

operations on its platform and prevent the operators from

establishing new accounts, the company said.

Blake Darché, the head of threat intelligence at Cloudflare,

said in an interview that the Raccoon0365 operators made some

key operational security mistakes but were highly effective.

"They're in people's accounts, they compromise lots of people,

and it needs to obviously be stopped," he said.