Storm-0539 Cybercrime Gang: Microsoft Alerts Companies of Gift Card Fraud From Moroccan Hackers

The group allegedly stole up to $100,000 worth of gift card.

Microsoft has spotlighted a Morocco-based cybercrime group known as Storm-0539, notorious for its email and SMS phishing attacks aimed at gift card fraud.

This revelation is part of Microsoft's latest Cyber Signals report.

The Modus Operandi of Storm-0539

Storm-0539 Cybercrime Gang: Microsoft Alerts Companies of Gift Card Fraud From Moroccan Hackers
With holiday shopping promos coming ahead of Christmas, people should be wary of gift card fraud to avoid falling into the trap of the hacking group. Rob Laughter from Unsplash

Hiding under its other name Atlas Lion, the Storm-0539 cybercrime gang has been active since late 2021. The group's primary goal is to steal gift cards and sell them online at discounted rates. Some instances have reported thefts of up to $100,000 per day from certain companies.

Tactics and Techniques

The group's tactics involve advanced social engineering campaigns, especially around the year-end holiday season, to steal credentials and session tokens through adversary-in-the-middle (AitM) phishing pages.

Once initial access is gained, Storm-0539 registers its own devices to bypass authentication, ensuring persistent access and elevated privileges. This access allows them to compromise gift card services, create fraudulent gift cards, and conduct extensive reconnaissance within a victim's cloud environment.

Targeted Industries

Storm-0539 primarily targets large retailers, luxury brands, and fast-food chains. Their ultimate objective is to redeem, sell, or cash out the stolen gift card values. This marks a tactical evolution from their previous focus on payment card data theft using malware on point-of-sale (PoS) devices.

Recent Surge in Activity

Microsoft observed a 30% increase in Storm-0539's activities between March and May 2024. The attackers leverage their deep knowledge of cloud infrastructure to infiltrate organizations' gift card issuance processes.

The U.S. Federal Bureau of Investigation (FBI) also released an advisory warning about smishing attacks by Storm-0539, highlighting their use of sophisticated phishing kits to bypass multi-factor authentication (MFA).

"Storm-0539 actors continued their smishing attacks and regained access to corporate systems. Then, the actors pivoted tactics to locating unredeemed gift cards, and changed the associated email addresses to ones controlled by Storm-0539 actors in order to redeem the gift cards," the FBI said.

Comprehensive Attack Strategies

Storm-0539's strategies go beyond stealing login credentials, according to Bleeping Computer. They also target secure shell (SSH) passwords and keys for financial gain or follow-on attacks.

Another notable tactic is the use of legitimate internal mailing lists to disseminate phishing messages, adding authenticity to their attacks. They also create free trials or student accounts on cloud platforms to set up phishing websites.

Exploiting Cloud Infrastructure

Storm-0539's abuse of cloud infrastructure, including impersonating legitimate non-profits, mirrors techniques used by state-sponsored actors to camouflage operations and evade detection. This trend signifies that financially motivated groups are adopting advanced tactics from state-sponsored playbooks.

Mitigation Measures

With this, the Redmond giant is warning companies to be extra careful when issuing gift cards to monitor their gift card portals as high-value targets. This is also done to watch for suspicious logins. They recommend complementing MFA with conditional access policies that evaluate authentication requests using additional identity-driven signals such as IP address location and device status.

Emerging Threats in Cloud Storage

Enea has revealed details of criminal campaigns exploiting cloud storage services like Amazon S3, Google Cloud Storage, Backblaze B2, and IBM Cloud Object Storage for SMS-based gift card scams. These scams use URLs linking to cloud storage to bypass firewall restrictions, redirecting users to malicious websites to steal sensitive information.

Companies must adopt strong security measures to protect against these sophisticated attacks. By treating gift card portals as high-value targets and enhancing authentication processes, organizations can mitigate the risks posed by groups like Storm-0539.

Joseph Henry
Tech Times
ⓒ 2024 TECHTIMES.com All rights reserved. Do not reproduce without permission.
Join the Discussion
Real Time Analytics