top of page

Microsoft Warns of Rising Gift Card Fraud by Storm-0539

Microsoft has issued a stark warning to retailers and restaurants about a sophisticated gift card fraud operation run by the cybercriminal group Storm-0539. According to Microsoft's latest Cyber Signals report, there has been a 30% increase in intrusion activities by Storm-0539 between March and May 2024, with potential losses reaching up to $100,000 daily for targeted companies.

Storm-0539, operating out of Morocco, focuses on cloud and identity services linked to gift card portals of major retailers, luxury brands, and fast-food chains. The group's activity spikes around major holidays, including this week's Memorial Day and historically during Thanksgiving, Black Friday, and Christmas, when there was a 60% rise in attacks.

The group has been active since late 2021, initially using point-of-sale (POS) malware to steal payment card data. As defenses against POS malware improved, Storm-0539 shifted its focus to gift card portals. They infiltrate employee accounts by sending smishing texts to personal and work mobile phones, gathering information from directories, schedules, contact lists, and email inboxes.

Once inside a network, the attackers move laterally, exploring gift card business processes and remote environments such as virtual machines, VPN connections, SharePoint, and OneDrive. They then use compromised accounts to generate new gift cards. Microsoft reports that thefts from a single company can amount to $100,000 daily through this method.

Storm-0539 maintains persistent access by registering their own devices for secondary authentication prompts, effectively bypassing multifactor authentication (MFA). They also impersonate legitimate organizations to cloud providers to gain initial free resources for their attacks. This involves creating websites that mimic US-based charities, animal shelters, and other nonprofits via typosquatting.

The group conducts thorough reconnaissance on federated identity service providers at targeted companies to convincingly mimic user sign-in experiences. They create adversary-in-the-middle (AiTM) pages and use domains closely resembling legitimate services. To minimize costs, Storm-0539 downloads legitimate 501(c)(3) letters from nonprofit websites to obtain sponsored or discounted technology services from major cloud providers. They also create free trials or student accounts on cloud service platforms, granting them 30 days of access to launch targeted operations.

"Storm-0539’s skill at compromising and creating cloud-based infrastructure lets them avoid common up-front costs in the cybercrime economy, such as paying for hosts and servers," Microsoft stated. The company emphasizes the need for robust cybersecurity measures to counteract such sophisticated fraud schemes.

Ted Miracco, CEO of Approov Mobile Security, commented on the implications of Storm-0539's activities:

"The increasing reliance on mobile devices in cyber attacks, as illustrated by Storm-0539's activities, highlights the need for comprehensive mobile and API security strategies. Smishing, or SMS Phishing, in this case underscores a significant vulnerability: employees often use the same devices for both personal and work-related activities, increasing the attack surface.

"In bypassing MFA by registering their devices, this incident highlights the need for more robust MFA implementations and better device management policies. Organizations must adopt a defense-in-depth approach to security, incorporating advanced mobile threat monitoring, training, and device management to protect against sophisticated threats."

As Storm-0539 continues to evolve its tactics, businesses must stay vigilant and proactive in enhancing their cybersecurity defenses to protect against such high-stakes fraud operations.

Comments


bottom of page