Microsoft is raising attention to a Morocco-based cybercrime group named Storm-0539 that's behind gift card fraud and theft through extremely sophisticated email and SMS phishing attempts.
"Their primary motivation is to steal gift cards and profit by selling them online at a discounted rate," the organization said in its latest Cyber Signals report. "We've seen some examples where the threat actor has stolen up to $100,000 a day at certain companies."
Storm-0539 was initially spotlighted by Microsoft in mid-December 2023, linking it to social engineering campaigns ahead of the year-end holiday season to steal users' credentials and session tokens via adversary-in-the-middle (AitM) phishing pages.
The gang, also called Atlas Lion and active since at least late 2021, is known to then abuse the initial access to register their own devices to bypass authentication and obtain persistent access, gain elevated privileges, and compromise gift card-related services by creating bogus gift cards to facilitate fraud.
The attack chains are further designed to get covert access to a victim's cloud environment, allowing the threat actor to carry out extensive reconnaissance and weaponize the infrastructure to achieve their final aims. Targets of the campaign include huge stores, luxury labels, and well-known fast-food restaurants.
The eventual purpose of the operation is to redeem the value associated with those cards, sell the gift cards to other threat actors on underground markets, or use money mules to cash out the gift cards.
The criminal targeting of gift card portals signals a tactical progression of the threat actor, who has previously participated in obtaining payment card data by employing malware on point-of-sale (PoS) devices.
The Windows maker said it saw a 30% spike in Storm-0539 intrusion activity between March and May 2024, characterizing the attackers as exploiting their extensive understanding of the cloud to "conduct reconnaissance on an organization's gift card issuance processes."
Earlier this month, the U.S. Federal Bureau of Investigation (FBI) released an advisory [PDF] warning of smishing attacks committed by the gang targeting the gift card departments of retail corporations using a sophisticated phishing kit to defeat multi-factor authentication (MFA).
"In one instance, a corporation detected Storm-0539's fraudulent gift card activity in their system, and instituted changes to prevent the creation of fraudulent gift cards," the FBI said.
"Storm-0539 actors maintained their smishing attacks and regained access to business systems. Then, the players turned tactics to discovering unredeemed gift cards, and altered the corresponding email accounts to ones controlled by Storm-0539 actors in order to redeem the gift cards."
It's worth mentioning that the threat actor's operations go beyond acquiring the login credentials of gift card department personnel. Their efforts also extend to gaining secure shell (SSH) passwords and keys, which might subsequently be sold for financial benefit or utilized for follow-on attacks.
Another strategy utilized by Storm-0539 is the exploitation of real internal company email lists to send phishing messages following acquiring initial access, lending a veneer of validity to the attacks. It has also been detected creating free trials or student accounts on cloud service platforms to put up new websites.
The exploitation of cloud infrastructure, notably by impersonating legitimate non-profits to cloud service providers, is a hint that financially driven groups are adopting a page out of advanced state-sponsored actors' playbooks to mask their operations and remain undetected.
Microsoft is recommending organizations that issue gift cards to regard their gift card portals as high-value targets by monitoring for suspect logins.
"Organizations should also consider complementing MFA with conditional access policies where authentication requests are evaluated using additional identity-driven signals like IP address location information or device status, among others," the business added.
"Storm-0539 operations are persuasive due to the actor's use of legitimate compromised emails and the mimicking of legitimate platforms used by the targeted company."
The development comes as Enea revealed details of criminal campaigns that exploit cloud storage services like Amazon S3, Google Cloud Storage, Backblaze B2, and IBM Cloud Object Storage for SMS-based gift card scams that redirect users to malicious websites with an aim to plunder sensitive information.
"The URL linking to the cloud storage is distributed via text messages, which appear to be authentic and can therefore bypass firewall restrictions," Enea researcher Manoj Kumar stated.
"When mobile users click on these links, which contain well-known cloud platform domains, they are led to the static webpage stored in the storage bucket. This website then automatically passes or redirects users to the embedded spam URLs or dynamically produced URLs using JavaScript, all without the user's notice."
In early April 2023, Enea also found operations that utilize URLs generated using the legitimate Google address, "google.com/amp," which is then coupled with encoded characters to mask the fraudulent URL.
"This kind of trust is being exploited by malicious actors trying to trick mobile subscribers by hiding behind seemingly legitimate URLs," Kumar pointed out. "Attacker techniques can include luring subscribers to their websites under false pretenses, and stealing sensitive information such as credit card details, email or social media credentials, and other personal data."