Microsoft is drawing attention to the activity of a cybercrime group named Storm-0539 based in Morocco, using sophisticated email and SMS phishing attacks to engage in gift card fraud and theft.
The company’s latest Cyber Signals report states, “Their main goal is to steal gift cards and sell them at a reduced price online. We have seen cases where the threat actor has stolen up to $100,000 in a day from certain companies.”
Initially highlighted by Microsoft in mid-December 2023, Storm-0539 was associated with social engineering campaigns leading up to the holiday season to steal victim credentials and session tokens using adversary-in-the-middle (AitM) phishing pages.
The group, also known as Atlas Lion and operating since late 2021, exploits initial access to register their devices and gain elevated privileges, compromising gift card services by creating fake cards to facilitate fraud.
Their attack chains are designed to gain covert access to victims’ cloud environments, allowing extensive reconnaissance and infrastructure weaponization to achieve their goals. Targets include large retailers, luxury brands, and popular fast-food chains.
Storm-0539 aims to redeem the value of stolen cards, sell them on black markets, or use money mules for cashing out. This marks a tactical shift from their previous activity of stealing payment card data using malware on point-of-sale (PoS) devices.
Microsoft reported a 30% increase in Storm-0539 intrusion activity between March and May 2024, noting their deep cloud knowledge to conduct reconnaissance on gift card issuance processes.
The FBI has warned of smishing attacks by Storm-0539 targeting retail corporations’ gift card departments using a sophisticated phishing kit to bypass multi-factor authentication (MFA).
The actors extend their efforts to acquire SSH passwords and keys, which can be sold or used for follow-on attacks, posing a threat to organizations beyond gift card theft.
Enea uncovered criminal campaigns exploiting cloud storage services for SMS-based gift card scams, redirecting users to malicious websites via authentic-looking URLs distributed through text messages.
This exploitation of cloud infrastructure highlights the evolving tactics of financially motivated groups, impersonating legitimate entities and using advanced techniques to evade detection.
Microsoft advises companies issuing gift cards to prioritize monitoring for suspicious logins and implementing robust security measures like conditional access policies to safeguard against cyber threats.
Storm-0539’s use of legitimate compromised emails and platforms poses a persuasive threat, emphasizing the need for organizations to enhance their security posture against such sophisticated attacks.
Criminal groups like Storm-0539 continue to evolve their tactics, exploiting cloud services for malicious activities and posing significant risks to mobile users and organizations.
Enea’s research sheds light on the techniques used by threat actors, emphasizing the importance of vigilance and proactive security measures in safeguarding against cyber threats.
