Internet Signal: The risk of gift card fraud is increasing

In an ever-evolving cyber threat landscape, staying ahead of malicious actors is an ongoing challenge.

Microsoft Threat Intelligence found that gift cards are attractive targets for fraud and social engineering practices. Unlike credit or debit cards, they do not have a customer name or bank account attached to them, which can reduce scrutiny of their potentially questionable use in some cases and provide cybercriminals with a different type of payment card surface to study and exploit. .

Microsoft has discovered increased activity from threat group Storm-0539, also known as Atlas Lion, around U.S. holidays, including Memorial Day, Labor Day, Thanksgiving, Black Friday and Christmas. Ahead of Memorial Day 2024, Microsoft observed a 30% increase in Storm-0539 activity between March and May 2024.

The latest version of Cyber ​​Signals delves into the world of gift card fraud, revealing Storm-0539 and its sophisticated cybercriminal techniques and persistence while providing guidance for retailers on how to stay ahead of these risks.

A clerk in a clothing boutique pays with a credit card on a digital tablet.

network signal

New report describes how organizations can protect gift cards from the Storm-0539 cybercriminal technology.

Evolution of Storm-0539 (Atlas Lion)

The cybercriminal group has been active since late 2021 and represents an evolution from threat actors who previously specialized in malware attacks on point-of-sale (POS) devices such as retail cash registers and kiosks to compromise payment card data. It is adapting to target cloud and identity services, stabilizing attacks on payment and card systems associated with large retailers, luxury brands, and well-known fast food restaurants.

complex strategy

What sets Storm-0539 apart is its deep understanding of the cloud environment, which it uses to conduct reconnaissance on an organization's gift card issuance process and employee access. Storm-0539's method of compromising cloud systems to gain far-reaching identities and access reflects espionage techniques and sophistication common among nation-state-sponsored threat actors, except that Storm-0539 is not collecting emails or files for espionage. Instead, persistent access is obtained and used to hijack accounts and create gift cards for malicious purposes, and not specifically to target consumers. After gaining access to the initial session and token, Storm-0539 will register its own malicious device to the victim's network for subsequent secondary authentication prompts, effectively bypassing multi-factor authentication protection, and Persist in the environment using a now completely compromised identity.

cloak of legitimacy

In order to remain undetected, Storm-0539 adopts the guise of a legitimate organization and obtains resources from cloud providers under the guise of a non-profit organization. It creates convincing websites, often using misleading “misprinted” domain names that differ by a few characters from the real website, to lure unsuspecting victims, further demonstrating its cunning and resourcefulness.

weather the storm

Organizations that issue gift cards should consider their gift card portals to be high-value targets for cybercriminals and should focus on ongoing monitoring and auditing for unusual activity. Enforcing conditional access policies and educating security teams on social engineering tactics are critical steps in strengthening defenses against such sophisticated actors. Given Storm-0539's complexity and in-depth understanding of cloud environments, it is recommended that you also invest in cloud security best practices, implement login style policies, transition to phishing-resistant multi-factor authentication, and apply the principle of least privilege access.

By taking these steps, organizations can increase their resilience against key cybercriminals like Storm-0539 while keeping trusted gift, payment, and other card options an attractive and flexible convenience for customers. To learn more about the latest threat intelligence insights, visit Microsoft Security Insider.

To learn more about Microsoft security solutions, visit our website. Bookmark the Security Blog to keep up with our expert reporting on security issues. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.

Source link

Leave a Reply

Your email address will not be published. Required fields are marked *