Key points
- Microsoft seized nearly 340 websites linked to the Raccoon0365 phishing service.
- Raccoon0365, operating via Telegram, enabled users to conduct large-scale phishing campaigns.
- The service stole at least 5,000 Microsoft user credentials and generated over $100,000 for its operators.
- Nigerian national Joshua Ogundipe is identified as the main operator of Raccoon0365.
Microsoft has successfully dismantled Raccoon0365, a prolific Nigerian-based phishing operation responsible for stealing thousands of Microsoft user credentials. The tech giant obtained a court order to seize approximately 340 websites associated with the service, which operated through a private Telegram channel boasting over 850 subscribers.
Raccoon0365 offered a subscription-based service enabling users to launch massive phishing campaigns, often targeting thousands of email recipients simultaneously. These campaigns impersonated trusted brands, luring victims into entering their Microsoft login credentials on fraudulent websites.
Since its launch in July 2024, Raccoon0365 has generated at least $100,000 in cryptocurrency for its small group of operators. Microsoft’s investigation pinpointed Joshua Ogundipe, a Nigerian national, as the primary operator and leader of the operation.
While Microsoft has attempted to contact Ogundipe for comment, they have yet to receive a response. The ease of use of the Raccoon0365 service underscores a growing concern within the cybersecurity community: the accessibility of sophisticated cybercriminal tools to relatively unsophisticated actors.
The impact of Raccoon0365 extended across various industries, with a significant portion of its activity targeting organizations in New York City. One particularly concerning campaign involved tax-themed phishing emails targeting over 2,300 organizations, primarily in the U.S., between February 12th and 28th of this year.
The compromised credentials allowed attackers to gain access to sensitive information and networks, potentially resulting in significant financial and reputational damage. The Health Information Sharing & Analysis Center (Health-ISAC) reported that at least five healthcare organizations experienced successful credential harvesting through phishing attempts related to Raccoon0365.
The operation relied on Cloudflare’s services to mask its backend infrastructure. However, Cloudflare collaborated with Microsoft and the U.S. Secret Service to disrupt Raccoon0365’s activities on its platform and prevent the creation of new accounts. This collaboration underscores the growing significance of public-private partnerships in countering sophisticated cyber threats.
The takedown of Raccoon0365 serves as a stark reminder of the persistent threat of phishing attacks and the need for robust cybersecurity measures to protect individuals and organizations.
