Microsoft has spotlighted a Morocco-based cybercrime group known as Storm-0539, notorious for its email and SMS phishing attacks aimed at gift card fraud.
This revelation is part of Microsoft's latest Cyber Signals report.
The Modus Operandi of Storm-0539
Hiding under its other name Atlas Lion, the Storm-0539 cybercrime gang has been active since late 2021. The group's primary goal is to steal gift cards and sell them online at discounted rates. Some instances have reported thefts of up to $100,000 per day from certain companies.
Related Article : Waze Users Got 'Confused' After Seeing Strange Message on the Screen - Here's How to Fix the Glitch
Tactics and Techniques
The group's tactics involve advanced social engineering campaigns, especially around the year-end holiday season, to steal credentials and session tokens through adversary-in-the-middle (AitM) phishing pages.
Once initial access is gained, Storm-0539 registers its own devices to bypass authentication, ensuring persistent access and elevated privileges. This access allows them to compromise gift card services, create fraudulent gift cards, and conduct extensive reconnaissance within a victim's cloud environment.
Targeted Industries
Storm-0539 primarily targets large retailers, luxury brands, and fast-food chains. Their ultimate objective is to redeem, sell, or cash out the stolen gift card values. This marks a tactical evolution from their previous focus on payment card data theft using malware on point-of-sale (PoS) devices.
Recent Surge in Activity
Microsoft observed a 30% increase in Storm-0539's activities between March and May 2024. The attackers leverage their deep knowledge of cloud infrastructure to infiltrate organizations' gift card issuance processes.
The U.S. Federal Bureau of Investigation (FBI) also released an advisory warning about smishing attacks by Storm-0539, highlighting their use of sophisticated phishing kits to bypass multi-factor authentication (MFA).
"Storm-0539 actors continued their smishing attacks and regained access to corporate systems. Then, the actors pivoted tactics to locating unredeemed gift cards, and changed the associated email addresses to ones controlled by Storm-0539 actors in order to redeem the gift cards," the FBI said.
Comprehensive Attack Strategies
Storm-0539's strategies go beyond stealing login credentials, according to Bleeping Computer. They also target secure shell (SSH) passwords and keys for financial gain or follow-on attacks.
Another notable tactic is the use of legitimate internal mailing lists to disseminate phishing messages, adding authenticity to their attacks. They also create free trials or student accounts on cloud platforms to set up phishing websites.
Exploiting Cloud Infrastructure
Storm-0539's abuse of cloud infrastructure, including impersonating legitimate non-profits, mirrors techniques used by state-sponsored actors to camouflage operations and evade detection. This trend signifies that financially motivated groups are adopting advanced tactics from state-sponsored playbooks.
Mitigation Measures
With this, the Redmond giant is warning companies to be extra careful when issuing gift cards to monitor their gift card portals as high-value targets. This is also done to watch for suspicious logins. They recommend complementing MFA with conditional access policies that evaluate authentication requests using additional identity-driven signals such as IP address location and device status.
Emerging Threats in Cloud Storage
Enea has revealed details of criminal campaigns exploiting cloud storage services like Amazon S3, Google Cloud Storage, Backblaze B2, and IBM Cloud Object Storage for SMS-based gift card scams. These scams use URLs linking to cloud storage to bypass firewall restrictions, redirecting users to malicious websites to steal sensitive information.
Companies must adopt strong security measures to protect against these sophisticated attacks. By treating gift card portals as high-value targets and enhancing authentication processes, organizations can mitigate the risks posed by groups like Storm-0539.