The IT Nerd

Microsoft has alerted retailers and restaurants to sophisticated gift card fraud by the threat actor Storm-0539, which can result in losses of up to $100,000 daily. According to Microsoft’s latest Cyber Signals report released this week, there has been a 30% rise in intrusion activity by Storm-0539 between March and May 2024.

Operating out of Morocco, Storm-0539 targets cloud and identity services linked to gift card portals of large retailers, luxury brands, and fast-food restaurants. The group increases its activity around major holidays such as this weeks Memorial Day and a 60% rise last year prior to Thanksgiving, Black Friday, and Christmas holidays.

Active since late 2021, Storm-0539 initially used point-of-sale (POS) malware to compromise payment card data. As industries strengthened POS defenses, the group shifted focus to gift card portals, infiltrating employee accounts at target organizations by sending smishing texts to personal and work mobile phones. The attackers gather information from employee directories, schedules, contact lists, and email inboxes.

Once inside, they move laterally through the network, identifying gift card business processes and remote environments like virtual machines, VPN connections, SharePoint, and OneDrive resources. Using compromised accounts, they create new gift cards. Microsoft has observed thefts of up to $100,000 a day from a single company through this method.

Storm-0539 maintains persistent access by registering their own devices for secondary authentication prompts, bypassing multifactor authentication (MFA). They present themselves as legitimate organizations to cloud providers to gain initial free resources for their attacks. This involves creating websites that impersonate US-based charities, animal shelters, and other nonprofits via typosquatting.

The group conducts extensive reconnaissance on federated identity service providers at targeted companies to convincingly mimic user sign-in experiences creating adversary-in-the-middle (AiTM) pages and using domains that closely match legitimate services. To minimize costs and maximize efficiency, Storm-0539 has been observed downloading legitimate 501(c)(3) letters from nonprofit websites to obtain sponsored or discounted technology services from major cloud providers. They also create free trials or student accounts on cloud service platforms, granting them 30 days of access to launch targeted operations.

“Storm-0539’s skill at compromising and creating cloud-based infrastructure lets them avoid common up-front costs in the cybercrime economy, such as paying for hosts and servers,” Microsoft stated. The company stresses the need for robust cybersecurity measures to counteract such sophisticated fraud schemes.

Ted Miracco, CEO, Approov Mobile Security:

   “The increasing reliance on mobile devices in cyber attacks, as illustrated by Storm-0539’s activities, highlights the need for comprehensive mobile and API security strategies. Smishing, or SMS Phishing, in this case underscores a significant vulnerability: employees often use the same devices for both personal and work-related activities, increasing the attack surface. 

   “In bypassing MFA by registering their devices, this incident highlights the need for more robust MFA implementations and better device management policies. Organizations must adopt a defense-in-depth approach to security, incorporating advanced mobile threat monitoring, training, and device management to protect against sophisticated threats.”

Seeing as gift cards are the number one go to gift for a lot of people, this is a huge problem. One that needs to be addressed on multiple fronts. Hopefully those organizations who rely on gift cards as a part of their business are paying attention.