Microsoft has issued a warning about a new cyber attack involving the theft of gift cards, carried out by a group of malicious actors known as Storm-0539. These actors infiltrate retail platforms using techniques such as ‘phishing’, ‘smishing’, and token theft in order to create gift cards and steal products.
Retail gift cards are particularly vulnerable to fraud and social engineering practices by cybercriminals, as they do not have customer names or bank accounts associated with them, making it easier for suspicious use without being identified. Storm-0539 has taken gift card-based theft to a new level by using phishing techniques, smishing, device registration, and token theft to gain access to corporate systems and employee accounts of large retailers.
Microsoft’s Threat Intelligence team highlighted this increase in activity from the threat actor group in their latest report, Cyber Signals. The group, also known as ‘Atlas Lion’, has been able to fraudulently generate gift card codes and use them to steal products from businesses. This type of fraud has increased by 30 percent between March and May 2024, particularly during American holidays like Thanksgiving, Black Friday, and Christmas.
Microsoft emphasized the sophistication of Storm-0539 and their ability to take advantage of cloud environments. The group remains infiltrated in systems after completing scams to continue generating card codes regularly. They also use extensive research on the gift card business process, identity service providers, and employees of target organizations to acquire recognition and camouflage capabilities.
In addition to impersonating non-profit organizations to gain access to free cloud resources and domains, Storm-0539 also implements conditional access policies and educates company security teams on social engineering tactics. Microsoft recommends that organizations treat gift card portals as high-value targets for cybercriminals, conduct continuous supervision
