Microsoft is calling attention to a Morocco-based cybercrime group dubbed Storm-0539 that’s behind gift card fraud and theft through highly sophisticated email and SMS phishing attacks.
“Their primary motivation is to steal gift cards and profit by selling them online at a discounted rate,” the company said in its latest Cyber Signals report. “We’ve seen some examples where the threat actor has stolen up to $100,000 a day at certain companies.”
Storm-0539 was first spotlighted by Microsoft in mid-December 2023, linking it to social engineering campaigns ahead of the year-end holiday season to steal victims’ credentials and session tokens via adversary-in-the-middle (AitM) phishing pages.
The gang, also called Atlas Lion and active since at least late 2021, is known to then abuse the initial access to register their own devices to bypass authentication and obtain persistent access, gain elevated privileges, and compromise gift card-related services by creating bogus gift cards to facilitate fraud.
The attack chains are further designed to gain covert access to a victim’s cloud environment, allowing the threat actor to carry out extensive reconnaissance and weaponize the infrastructure to achieve their end goals. Targets of the campaign include large retailers, luxury brands, and well-known fast-food restaurants.
The end goal of the operation is to redeem the value associated with those cards, sell the gift cards to other threat actors on black markets, or use money mules to cash out the gift cards.
The criminal targeting of gift card portals marks a tactical evolution of the threat actor, which has previously engaged in stealing payment card data by using malware on point-of-sale (PoS) devices.
The Windows maker said it observed a 30% increase in Storm-0539 intrusion activity between March and May 2024, describing the attackers as leveraging their deep knowledge of the cloud to “conduct reconnaissance on an organization’s gift card issuance processes.”
Earlier this month, the U.S. Federal Bureau of Investigation (FBI) released an advisory [PDF] warning of smishing attacks perpetrated by the group targeting the gift card departments of retail corporations using a sophisticated phishing kit to bypass multi-factor authentication (MFA).
“In one instance, a corporation detected Storm-0539’s fraudulent gift card activity in their system, and instituted changes to prevent the creation of fraudulent gift cards,” the FBI said.
“Storm-0539 actors continued their smishing attacks and regained access to corporate systems. Then, the actors pivoted tactics to locating unredeemed gift cards, and changed the associated email addresses to ones controlled by Storm-0539 actors in order to redeem the gift cards.”
It’s worth noting that the threat actor’s activities go beyond stealing the login credentials of gift card department personnel. Their efforts also extend to acquiring secure shell (SSH) passwords and keys, which could then be sold for financial gain or used for follow-on attacks.
Another tactic adopted by Storm-0539 entails the use of legitimate internal company mailing lists to disseminate phishing messages upon gaining initial access, adding a veneer of authenticity to the attacks. It has also been found creating free trials or student accounts on cloud service platforms to set up new websites.
The abuse of cloud infrastructure, including by impersonating legitimate non-profits to cloud service providers, is a sign that financially motivated groups are borrowing a page out of advanced state-sponsored actors’ playbooks to camouflage their operations and remain undetected.
Microsoft is urging companies that issue gift cards to treat their gift card portals as high-value targets by monitoring for suspicious logins.
“Organizations should also consider complementing MFA with conditional access policies where authentication requests are evaluated using additional identity-driven signals like IP address location information or device status, among others,” the company noted.
“Storm-0539 operations are persuasive due to the actor’s use of legitimate compromised emails and the mimicking of legitimate platforms used by the targeted company.”
The development comes as Enea revealed details of criminal campaigns that exploit cloud storage services like Amazon S3, Google Cloud Storage, Backblaze B2, and IBM Cloud Object Storage for SMS-based gift card scams that redirect users to malicious websites with an aim to plunder sensitive information.
“The URL linking to the cloud storage is distributed via text messages, which appear to be authentic and can therefore bypass firewall restrictions,” Enea researcher Manoj Kumar said.
“When mobile users click on these links, which contain well-known cloud platform domains, they are directed to the static website stored in the storage bucket. This website then automatically forwards or redirects users to the embedded spam URLs or dynamically generated URLs using JavaScript, all without the user’s awareness.”
In early April 2023, Enea also uncovered campaigns that involve URLs constructed using the legitimate Google address, “google.com/amp,” which is then combined with encoded characters to conceal the scam URL.
“This kind of trust is being exploited by malicious actors trying to trick mobile subscribers by hiding behind seemingly legitimate URLs,” Kumar pointed out. “Attacker techniques can include luring subscribers to their websites under false pretenses, and stealing sensitive information such as credit card details, email or social media credentials, and other personal data.”