Sunday, June 16, 2024

Microsoft Warns Of Storm-0539’s Aggressive Gift Card Theft

Gift cards are attractive to hackers since they provide quick monetization for stolen data or compromised systems.

Reselling gift cards is simple, and they can also be converted into money, which makes them a comparatively risk-free means of ensuring threat actors benefit greatly from their illegal undertakings.

Microsoft cybersecurity analysts recently discovered that the gift card system is targeted by a threat group known as Storm-0539 (aka Atlas Lion). 

It adjusts its methods to be relevant to changes taking place across retail, payment, and other industries associated with it.

Storm-0539’s illicit gift card theft ventures are coordinated via encrypted channels and underground forums.

ANYRUN malware sandbox’s 8th Birthday Special Offer: Grab 6 Months of Free Service

Technical Analysis

This involves exploiting technological vulnerabilities and conducting social engineering campaigns that compromise gift card portals, allowing the stolen cards to be converted into untraceable cash.

Compared to threat actors targeting scalable attacks for quick profits, this actor stands out due to the fact that they quietly steal through gift cards.

Storm-0539 is a Morocco-based threat group whose activities escalate towards major holidays such as Christmas, New Year’s Day. 

Their invasion trials accounted for 30% to 60% of the total during summer, autumn, and winter in 2023-2024.

Storm-0539 is a group that has adapted to modern payment card fraud, among other tactics.

These include phishing, smishing, device registration for MFA bypass, and third-party access used to hack cloud identities and gift card portals of retailers, brands, and restaurants. 

Storm-0539 intrusion lifecycle (Source – Microsoft)

They become more interested in how they can use their profound understanding of the cloud to successfully carry out gift card issuance schemes targeting staff with access privileges rather than relying on malware.

Storm-0539’s reconnaissance and ability to leverage cloud environments resemble those of nation-state threat actors, illustrating how espionage methods currently influence financially motivated threat actors.

Storm-0539 behaves like state-sponsored advanced hacking groups, focusing on cloud software, identities, and access rights to compromise the gift card printing process instead of end-users.

They pretend to be genuine organizations that use free cloud resources to hide their operation.

Their tools of deception involve typosquatting websites mimicking U.S. non-profits through which they can download authentic 501(c)(3) IRS letters and then approach sponsored cloud services for charities using them.

The combination of nation-state tradecraft with financial motives represents new threats from actors like Storm-0539 and Octo Tempest.

The group’s efficiency in creating free trials and compromising cloud services allows them to launch targeted operations with minimal costs.


Here below we have mentioned all the recommendations provided:-

  • Token protection and least privilege access
  • Phishing-resistant MFA
  • Adopt a secure gift card platform and implement fraud protection solutions
  • Require a secure password change when user risk level is high
  • Educate employees
  • Reset passwords for users associated with phishing and AiTM activity
  • Enable zero-hour auto purge (ZAP) in Microsoft Defender for Office 365
  • Update identities, access privileges, and distribution lists to minimize attack surfaces

Free Webinar on Live API Attack Simulation: Book Your Seat | Start protecting your APIs from hackers


Latest articles

Sleepy Pickle Exploit Let Attackers Exploit ML Models And Attack End-Users

Hackers are targeting, attacking, and exploiting ML models. They want to hack into these...

SolarWinds Serv-U Vulnerability Let Attackers Access sensitive files

SolarWinds released a security advisory for addressing a Directory Traversal vulnerability which allows a...

Smishing Triad Hackers Attacking Online Banking, E-Commerce AND Payment Systems Customers

Hackers often attack online banking platforms, e-commerce portals, and payment systems for illicit purposes.Resecurity...

Threat Actor Claiming Leak Of 5 Million Ecuador’s Citizen Database

A threat actor has claimed responsibility for leaking the personal data of 5 million...

Ascension Hack Caused By an Employee Who Downloaded a Malicious File

Ascension, a leading healthcare provider, has made significant strides in its investigation and recovery...

AWS Announced Malware Detection Tool For S3 Buckets

Amazon Web Services (AWS) has announced the general availability of Amazon GuardDuty Malware Protection...

Hackers Exploiting MS Office Editor Vulnerability to Deploy Keylogger

Researchers have identified a sophisticated cyberattack orchestrated by the notorious Kimsuky threat group.The...
Tushar Subhra Dutta
Tushar Subhra Dutta
Tushar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Free Webinar

API Vulnerability Scanning

71% of the internet traffic comes from APIs so APIs have become soft targets for hackers.Securing APIs is a simple workflow provided you find API specific vulnerabilities and protect them.In the upcoming webinar, join Vivek Gopalan, VP of Products at Indusface as he takes you through the fundamentals of API vulnerability scanning..
Key takeaways include:

  • Scan API endpoints for OWASP API Top 10 vulnerabilities
  • Perform API penetration testing for business logic vulnerabilities
  • Prioritize the most critical vulnerabilities with AcuRisQ
  • Workflow automation for this entire process

Related Articles