By AJ Vicens

Microsoft Inc said on Tuesday that it seized nearly 340 websites tied to a rapidly growing Nigerian-based service that allowed users to carry out phishing operations that stole at least 5,000 Microsoft user credentials.

Microsoft obtained an order from the U.S. District Court in Manhattan earlier this month to seize domains associated with Raccoon0365, the subscription service that allowed users to carry out massive phishing campaigns, which sometimes involved thousands of emails at a time, according to Steven Masada, assistant general counsel for Microsoft’s Digital Crimes Unit.

Raccoon0365’s service, which operates through a private Telegram channel with more than 850 subscribers, enables users to impersonate trusted brands and get targets to enter Microsoft login credentials on phony Microsoft login pages, Masada said in a blog posted on Microsoft’s website.

The service has generated for its small group of operators at least $100,000 in cryptocurrency payments since launching in July 2024, Masada said in the blog.

Microsoft said the seizure of the websites occurred over a period of days earlier this month. Microsoft identified Nigeria-based Joshua Ogundipe as the leader and main operator of Raccoon0365. Ogundipe did not immediately respond to an email request for comment sent to the email address identified by Microsoft in its court filing.

“Cybercriminals don’t need to be sophisticated to cause widespread harm,” Masada said. “Simple tools like Raccoon0365 make cybercrime accessible to virtually anyone, putting millions of users at risk.”

Raccoon0365 subscribers have targeted a wide swath of industries, Masada said, and separate court filings allege that “a significant portion” of Raccoon0365 activity targets organizations based in New York City.

Masada said Microsoft identified what it said was a Raccoon0365-related effort using tax-themed phishing emails to target more than 2,300 organizations, mostly in the U.S., between February 12 and February 28 this year, according to a company blog posted in April.

Errol Weiss, chief security officer of the Health Information Sharing & Analysis Center (Health-ISAC), which provides cybersecurity services to member health organizations and is a co-plaintiff alongside Microsoft, said Raccoon0365 has been linked to successful credential harvesting through phishing campaigns at at least five unnamed healthcare organizations, while targeting 25 health sector organizations overall.

Once hackers gain that access, any number of things can happen, Weiss said. “So many of the attacks start because somebody gave up their user name and password to a bad guy,” Weiss said in an interview. “Once that cybercriminal has access to the network, then it’s just up to the imagination in terms of what comes next and how they monetize it.”

The Raccoon0365 operators used services provided by Cloudflare to help hide the service’s backend infrastructure, the internet services firm said in its own blog post. Cloudflare worked with Microsoft and the U.S. Secret Service to disrupt Raccoon0365 operations on its platform and prevent the operators from establishing new accounts, the company said.

Blake Darche, the head of threat intelligence at Cloudflare, said in an interview that the Raccoon0365 operators made some key operational security mistakes but were highly effective. “They’re in people’s accounts, they compromise lots of people, and it needs to obviously be stopped,” he said.

Join the community of 2M+ industry professionals.

Subscribe to Newsletter to get latest insights & analysis in your inbox.

All about ETCISO industry right on your smartphone!