In a recent development, a Moroccan threat group known as Storm-0539, or Atlas Lion, has taken the classic gift card scam to a whole new level by targeting the systems that register the cards, granting them the ability to generate money at will. This group has deviated from the traditional approach of targeting retail customers and shifted its focus to compromising the retailers themselves, specifically the portals used to issue gift cards.
The group’s modus operandi involves targeting retail employees with phishing texts in order to gain access to their employer accounts. By infiltrating an employee’s account, the cybercriminals are able to navigate and move laterally within the retailer’s network. In some cases, they leverage the initial employee’s compromised account to target other employees through phishing attempts sent via internal mailing lists, mimicking the company’s standard business communication practices. With access to accounts of significant privilege, they gather information on various services and accounts that can be used to ultimately reach the gift card infrastructure within the system.
According to Emiel Haeghebaert, a senior hunt analyst at the Microsoft Threat Intelligence Center, Storm-0539 conducts thorough reconnaissance on targeted environments, gathering information on a wide range of resources to advance towards the goal of stealing gift cards. This includes resources related to OneDrive, Salesforce, Citrix, and more. The group strategically targets resources such as SharePoint or VPN appliances to obtain additional information or access required to reach the gift card infrastructure. Microsoft has noted that Storm-0539’s reconnaissance and cloud skills are on par with those observed in nation-state-level activities.
Storm-0539 persistently navigates through the retailer’s environment until obtaining access to the gift card portal, where they create numerous new gift cards just below the retailer’s set dollar amount limit. Subsequently, they swiftly cash out these gift cards, utilize money mules for the cash-out process, or sell the cards to other malicious actors on the Dark Web.
As the threat posed by Storm-0539 intensifies during holiday seasons, Microsoft has emphasized the importance of adopting robust security measures to combat such threat actors. Recommendations include implementing phishing-resistant multifactor authentication, stringent password reset protocols, token replay and other fraud protections, least privilege principles, and educating employees about the risks associated with this scam. Microsoft also highlights the positive impact of increased collaboration and information-sharing among major retailers in effectively thwarting Storm-0539’s illicit activities in recent months.
In conclusion, the evolution of the gift card scam orchestrated by Storm-0539 underscores the need for organizations to enhance their cybersecurity defenses and readiness to counter sophisticated cyber threats. By staying vigilant and implementing proactive security measures, businesses can safeguard their systems and assets against malicious actors seeking to exploit vulnerabilities for financial gain.