Microsoft Takes Down 340 Websites Linked to Nigerian Phishing Operation

Microsoft has taken decisive action against a significant phishing operation by seizing nearly 340 websites associated with Raccoon0365, a rapidly expanding service based in Nigeria. This operation has been implicated in the theft of at least 5,000 Microsoft user credentials. The company secured an order from the U.S. District Court in Manhattan earlier this month, enabling them to dismantle the domains related to this subscription-based phishing service.

The takedown unfolded over several days and specifically targeted Raccoon0365’s activities, which were primarily conducted through a private Telegram channel boasting more than 850 subscribers. Launched in July 2024, Raccoon0365 allowed its users to impersonate trusted brands effectively, deceiving victims into providing their Microsoft login details via fraudulent webpages.

According to Steven Masada, assistant general counsel for Microsoft’s Digital Crimes Unit, the operation was led by Nigeria-based Joshua Ogundipe. This service reportedly generated at least $100,000 in cryptocurrency payments. Attempts to reach Ogundipe for comment were unsuccessful.

Impact of Phishing on Various Industries

Masada highlighted the accessibility of cybercrime through simple tools, stating, “Cybercriminals don’t need to be sophisticated to cause widespread harm. Simple tools like Raccoon0365 make cybercrime accessible to virtually anyone, putting millions of users at risk.” Court documents reveal that Raccoon0365 targeted various sectors, with a substantial focus on organizations located in New York City.

Earlier this year, Microsoft connected the service to tax-themed phishing campaigns that aimed to breach over 2,300 U.S. organizations within just two weeks. The healthcare sector has particularly suffered, with Errol Weiss, chief security officer of the Health Information Sharing & Analysis Center (Health-ISAC), confirming that the service was linked to successful credential thefts at five healthcare organizations, alongside attempted attacks on at least 25 others.

“So many of the attacks start because somebody gave up their username and password,” Weiss explained. “Once that access is gained, it’s only a matter of how criminals choose to exploit it.”

Collaboration to Combat Cybercrime

The Raccoon0365 operators utilized Cloudflare services to mask their infrastructure. In response, Cloudflare collaborated with Microsoft and the U.S. Secret Service to disrupt the phishing network. Blake Darché, head of threat intelligence at Cloudflare, emphasized the urgency of the situation, stating, “They’re in people’s accounts, they compromise lots of people, and it needs to obviously be stopped.”

With the seizure of Raccoon0365’s domains, Microsoft and its partners claim to have significantly undermined one of the most accessible phishing services available. Nonetheless, the company cautions that similar low-cost cybercrime tools continue to emerge, presenting ongoing risks to users worldwide.