Microsoft discovers gift card thieves using cyber espionage tactics


Microsoft has released a “Cyber ​​Signals” report, sharing new information about the hacker group Storm-0539 and a sharp increase in gift card thefts as the Memorial Day holiday approaches.

The FBI issued a warning about the activities of Storm-0539, also known as “Antlion” earlier this month, highlighting the threat group's advanced techniques for carrying out gift card theft and fraud and noting that their tactics are similar to those of state-sponsored Hacking and sophisticated cyber espionage.


Microsoft warned that threat actors will increase their activities before major holidays. Storm-0539 activity increased by 60% during the winter holiday (Christmas) last year, and there was a significant increase of 30% between March and May 2024.

In a new Cyber ​​Signals report, Microsoft confirms that threat actors are targeting organizations that issue gift cards rather than end users, and also reveals the large-scale abuse of cloud service providers to achieve low-cost operations.

Storm-0539 Introduction and modus operandi

Storm-0539 is a financially motivated Moroccan threat group that has been active since 2021 and focuses primarily on gift card and payment card fraud.

Threat actors are notorious for their reconnaissance efforts and customized email and SMS phishing messages that target employees of target organizations (often gift card issuers).

SMS phishing sent to target
​​Source: Microsoft

Once they use compromised accounts to gain access to the target environment, they register their devices with the company's multi-factor authentication (MFA) platform for persistence and then compromise virtual machines, VPNs, SharePoint, OneDrive, Salesforce and Citrix environments to move laterally.

Intrusion life cycle
Source: Microsoft

Eventually, Storm-0539 obtained credentials that allowed them to create new gift cards that could be redeemed on darknet markets, in stores, or using a money mule to cash them out.

“Typically, organizations set limits on the cash value of gift cards that can be issued to individuals. For example, if the limit is $100,000, a threat actor would issue a card worth $99,000 and then send themselves the gift card code. and monetize it,” Microsoft's Internet Signal report explains.

“Their primary motivation is to steal the gift cards and make a profit by selling them online at a discounted price.”

“We've seen examples where threat actors have stolen up to $100,000 a day from some companies.”

To create new infrastructure for the attack, the threat actors created a website posing as a non-profit organization to register with the cloud service provider. These accounts join “pay-as-you-go” or “free trial” tiers, which they abuse in large-scale operations at almost no cost.

Microsoft explained: “Storm-0539's ability to detect and exploit cloud environments is similar to what Microsoft has observed from state-sponsored threat actors, illustrating how techniques popularized by espionage and geopolitically focused adversaries are now impacting Financially motivated criminals.

Storm-0539 attack chain overview
Source: Microsoft

Defense Advice

Microsoft recommends that operators of gift card issuance portals continuously monitor for anomalies and implement conditional access policies to prevent a single potentially hijacked account from generating an unusually large number of gift cards.

Additionally, organizations are recommended to implement token replay protection, enforce least privilege access, and use FIDO2 security keys to protect high-risk accounts.

By identifying and rejecting orders with suspicious signs, merchants can also play a key role in disrupting the profit chain of Storm-0539 and similar threat actors.

While these attacks won't affect holiday shoppers, internet users preparing for Memorial Day should be on high alert for scams, fake stores and malicious ads.



Source link

Leave a Reply

Your email address will not be published. Required fields are marked *