Microsoft: Gift card fraud costs businesses up to $100,000 a day

Microsoft has warned retailers and restaurants about sophisticated gift card fraud that could cost victims up to $100,000 a day.

In a new Cyber ​​Signals report, the tech giant highlighted a 30% increase in intrusion activity by threat actor Storm-0539 between March and May 2024.

The group operates out of Morocco and targets gift card portals associated with large Moroccan retailers, luxury brands and well-known fast food restaurants, disrupting cloud and identity services.

Microsoft has observed an increase in Storm-0539 activity ahead of U.S. holidays such as the upcoming Memorial Day on May 30, 2024. 30%.

Microsoft found that between September and December 2023, which coincided with Thanksgiving, Black Friday and Christmas, the group's intrusion activities also increased by 60%.

For reconnaissance against gift card creators

Microsoft said Storm-0539 used deep reconnaissance and sophisticated cloud-based techniques to target gift card creators, similar to espionage campaigns by nation-state actors.

The group has been active since late 2021 and focuses on attacking payment card accounts and systems.

Initially, it typically compromises payment card data via point-of-sale (POS) malware. However, it gradually evolved to target gift card portals as industries tightened their POS defenses, the report said.

To conduct initial reconnaissance, Storm-0539 attempts to penetrate the target organization's employee accounts by sending text messages to personal and work mobile phones. It does this by accessing employee directories and timesheets, contact lists and email inboxes.

Once an account is compromised, attackers move laterally across the network in an attempt to identify gift card business processes and gather information about remote environments such as virtual machines, VPN connections, SharePoint and OneDrive resources.

Storm-0539 then uses this information to create new gift cards through compromised employee accounts. This allows them to redeem the value associated with these cards, sell the gift cards to other threat actors on the black market, or use money mules to cash out the gift cards.

Microsoft says it has seen examples of threat actors using this method to steal up to $100,000 a day from some companies.

The group was able to maintain persistent access to compromised accounts by registering their malicious devices to the victim's network for subsequent second-factor authentication prompts. This enables it to bypass multi-factor authentication (MFA) protection.

Leverage the cloud to stay undetected

The report highlights Storm-0539's ability to leverage cloud resources to disguise itself and its infrastructure when conducting such attacks.

The group presented itself as a legitimate organization to cloud providers in order to obtain temporary applications, storage, and other initial free resources for attack campaigns.

To appear legitimate, it created websites that impersonated U.S. charities, animal shelters and other non-profit organizations through misspellings common in registered organizational domains.

Microsoft believes Storm-0539 conducted extensive reconnaissance of target companies' federated identity service providers to convincingly mimic the user login experience. This includes the presence of Adversaries in the Middle (AiTM) pages and the use of registered domains that closely match legitimate services.

The group has also taken a number of other measures to minimize costs and maximize operational efficiency.

It has been observed that legitimate copies of f 501(c)(3) letters issued by the Internal Revenue Service (IRS) are downloaded from public websites of non-profit organizations, and these letters are often used to contact major cloud providers for sponsorship or discounted technology services given to non-profit organizations. For-profit organization.

Additionally, Storm-0539 has been observed creating free trial or student accounts on cloud service platforms, usually giving them 30 days of access. These accounts are used to initiate their target operations.

“Storm-0539's skills in compromising and creating cloud-based infrastructure allow them to avoid upfront costs common in the cybercrime economy, such as paying for hosting and servers,” Microsoft wrote.

How to protect against gift card fraud

Microsoft has a series of recommendations for organizations that offer gift cards to defend against these sophisticated tactics. These include:

  • Continuously monitor logs to identify suspicious logins and other common initial access vectors that rely on cloud identity compromise
  • Implement conditional access policies that restrict logins and flag risky logins
  • Consider using conditional access policies to supplement MFA, where other identity-driven signals (such as IP address location) are used to evaluate authentication requests
  • Reset the passwords of users associated with phishing and AiTM campaigns, which will revoke all active sessions
  • Update identities, access rights, and distribution lists to minimize attack surface
  • Use policies to prevent token replay attacks by binding tokens to legitimate users' devices
  • Consider switching to a gift card platform designed to verify payments
  • Transition to anti-phishing credentials such as FIDO2 security keys
  • Train employees to recognize potential gift card fraud and reject suspicious orders

Source link

Leave a Reply

Your email address will not be published. Required fields are marked *