Gift cards have become the target of choice for hackers looking to quickly monetize stolen data or compromised systems. The appeal lies in their simplicity to resell and convert into money, making them a relatively risk-free means for threat actors to profit from their illicit activities. Recently, Microsoft cybersecurity analysts uncovered a threat group known as Storm-0539 (also known as Atlas Lion) that is specifically targeting the gift card system.
Storm-0539 is adept at adjusting its tactics to stay relevant to changes happening in retail, payment, and other industries associated with gift cards. The group orchestrates its illegal activities through encrypted channels and underground forums, enabling them to operate covertly. Their primary method of theft involves exploiting technological vulnerabilities and running social engineering campaigns to compromise gift card portals, allowing them to convert stolen cards into untraceable cash.
Unlike other threat actors who seek quick profits through scalable attacks, Storm-0539 prefers to quietly steal through gift cards. This Morocco-based group is particularly active during major holidays like Christmas and New Year’s Day, with their intrusion attempts peaking in the summer, autumn, and winter seasons of 2023-2024. Storm-0539 has adapted to modern payment card fraud techniques, including phishing, smishing, device registration for MFA bypass, and third-party access to hack cloud identities and gift card portals of retailers, brands, and restaurants.
One of the key distinguishing features of Storm-0539 is their focus on leveraging cloud environments to carry out gift card issuance schemes targeting staff with access privileges, rather than relying solely on malware. This approach mirrors the tactics often used by nation-state threat actors, highlighting how espionage methods are now influencing financially motivated threat actors. By pretending to be legitimate organizations and utilizing free cloud resources, Storm-0539 is able to hide their operations effectively.
The group’s deceptive tactics include setting up typosquatting websites that mimic U.S. non-profits to access authentic IRS letters and sponsored cloud services for charities. By combining nation-state tradecraft with financial motives, threat groups like Storm-0539 and Octo Tempest are introducing new threats to the cybersecurity landscape. Their ability to create free trials and compromise cloud services at minimal cost enables them to conduct targeted operations with efficiency.
To counter these threats, cybersecurity experts recommend implementing token protection and least privilege access, phishing-resistant MFA, secure gift card platforms, fraud protection solutions, secure password changes for high-risk users, employee education, resetting passwords for users involved in phishing and AiTM activities, enabling zero-hour auto purge, and updating identities, access privileges, and distribution lists to minimize attack surfaces.
In conclusion, the rise of threat groups like Storm-0539 highlights the evolving nature of cybercrime and the need for organizations to adopt comprehensive cybersecurity measures to protect against gift card fraud and other illicit activities. By staying vigilant and implementing recommended security practices, businesses can mitigate the risk posed by sophisticated threat actors and safeguard their sensitive data and assets.