Gift cards are attractive to hackers since they provide quick monetization for stolen data or compromised systems.
Reselling gift cards is simple, and they can also be converted into money, which makes them a comparatively risk-free means of ensuring threat actors benefit greatly from their illegal undertakings.
Microsoft cybersecurity analysts recently discovered that the gift card system is targeted by a threat group known as Storm-0539 (aka Atlas Lion).
It adjusts its methods to be relevant to changes taking place across retail, payment, and other industries associated with it.
Storm-0539’s illicit gift card theft ventures are coordinated via encrypted channels and underground forums.
ANYRUN malware sandbox’s 8th Birthday Special Offer: Grab 6 Months of Free Service
Technical Analysis
This involves exploiting technological vulnerabilities and conducting social engineering campaigns that compromise gift card portals, allowing the stolen cards to be converted into untraceable cash.
Compared to threat actors targeting scalable attacks for quick profits, this actor stands out due to the fact that they quietly steal through gift cards.
Storm-0539 is a Morocco-based threat group whose activities escalate towards major holidays such as Christmas, New Year’s Day.
Their invasion trials accounted for 30% to 60% of the total during summer, autumn, and winter in 2023-2024.
Storm-0539 is a group that has adapted to modern payment card fraud, among other tactics.
These include phishing, smishing, device registration for MFA bypass, and third-party access used to hack cloud identities and gift card portals of retailers, brands, and restaurants.
They become more interested in how they can use their profound understanding of the cloud to successfully carry out gift card issuance schemes targeting staff with access privileges rather than relying on malware.
Storm-0539’s reconnaissance and ability to leverage cloud environments resemble those of nation-state threat actors, illustrating how espionage methods currently influence financially motivated threat actors.
Storm-0539 behaves like state-sponsored advanced hacking groups, focusing on cloud software, identities, and access rights to compromise the gift card printing process instead of end-users.
They pretend to be genuine organizations that use free cloud resources to hide their operation.
Their tools of deception involve typosquatting websites mimicking U.S. non-profits through which they can download authentic 501(c)(3) IRS letters and then approach sponsored cloud services for charities using them.
The combination of nation-state tradecraft with financial motives represents new threats from actors like Storm-0539 and Octo Tempest.
The group’s efficiency in creating free trials and compromising cloud services allows them to launch targeted operations with minimal costs.
Recommendations
Here below we have mentioned all the recommendations provided:-
- Token protection and least privilege access
- Phishing-resistant MFA
- Adopt a secure gift card platform and implement fraud protection solutions
- Require a secure password change when user risk level is high
- Educate employees
- Reset passwords for users associated with phishing and AiTM activity
- Enable zero-hour auto purge (ZAP) in Microsoft Defender for Office 365
- Update identities, access privileges, and distribution lists to minimize attack surfaces
Free Webinar on Live API Attack Simulation: Book Your Seat | Start protecting your APIs from hackers