Tuesday, January 14, 2025
HomeCyber CrimeMicrosoft Warns Of Storm-0539's Aggressive Gift Card Theft

Microsoft Warns Of Storm-0539’s Aggressive Gift Card Theft

Published on

Gift cards are attractive to hackers since they provide quick monetization for stolen data or compromised systems.

Reselling gift cards is simple, and they can also be converted into money, which makes them a comparatively risk-free means of ensuring threat actors benefit greatly from their illegal undertakings.

Microsoft cybersecurity analysts recently discovered that the gift card system is targeted by a threat group known as Storm-0539 (aka Atlas Lion). 

It adjusts its methods to be relevant to changes taking place across retail, payment, and other industries associated with it.

Storm-0539’s illicit gift card theft ventures are coordinated via encrypted channels and underground forums.

ANYRUN malware sandbox’s 8th Birthday Special Offer: Grab 6 Months of Free Service

Technical Analysis

This involves exploiting technological vulnerabilities and conducting social engineering campaigns that compromise gift card portals, allowing the stolen cards to be converted into untraceable cash.

Compared to threat actors targeting scalable attacks for quick profits, this actor stands out due to the fact that they quietly steal through gift cards.

Storm-0539 is a Morocco-based threat group whose activities escalate towards major holidays such as Christmas, New Year’s Day. 

Their invasion trials accounted for 30% to 60% of the total during summer, autumn, and winter in 2023-2024.

Storm-0539 is a group that has adapted to modern payment card fraud, among other tactics.

These include phishing, smishing, device registration for MFA bypass, and third-party access used to hack cloud identities and gift card portals of retailers, brands, and restaurants. 

Storm-0539 intrusion lifecycle (Source – Microsoft)

They become more interested in how they can use their profound understanding of the cloud to successfully carry out gift card issuance schemes targeting staff with access privileges rather than relying on malware.

Storm-0539’s reconnaissance and ability to leverage cloud environments resemble those of nation-state threat actors, illustrating how espionage methods currently influence financially motivated threat actors.

Storm-0539 behaves like state-sponsored advanced hacking groups, focusing on cloud software, identities, and access rights to compromise the gift card printing process instead of end-users.

They pretend to be genuine organizations that use free cloud resources to hide their operation.

Their tools of deception involve typosquatting websites mimicking U.S. non-profits through which they can download authentic 501(c)(3) IRS letters and then approach sponsored cloud services for charities using them.

The combination of nation-state tradecraft with financial motives represents new threats from actors like Storm-0539 and Octo Tempest.

The group’s efficiency in creating free trials and compromising cloud services allows them to launch targeted operations with minimal costs.

Recommendations

Here below we have mentioned all the recommendations provided:-

  • Token protection and least privilege access
  • Phishing-resistant MFA
  • Adopt a secure gift card platform and implement fraud protection solutions
  • Require a secure password change when user risk level is high
  • Educate employees
  • Reset passwords for users associated with phishing and AiTM activity
  • Enable zero-hour auto purge (ZAP) in Microsoft Defender for Office 365
  • Update identities, access privileges, and distribution lists to minimize attack surfaces

Free Webinar on Live API Attack Simulation: Book Your Seat | Start protecting your APIs from hackers

Tushar Subhra
Tushar Subhra
Tushar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Latest articles

Critical macOS Vulnerability Lets Hackers to Bypass Apple’s System Integrity Protection

Microsoft Threat Intelligence has uncovered a critical macOS vulnerability that allowed attackers to bypass...

CISA Released A Free Guide to Enhance OT Product Security

To address rising cyber threats targeting critical infrastructure, the U.S. Cybersecurity and Infrastructure Security...

Microsoft Warns of MFA Issue Affecting Microsoft 365 users

Microsoft has issued a warning regarding an ongoing issue with Multi-Factor Authentication (MFA) that...

RedCurl APT Deploys Malware via Windows Scheduled Tasks Exploitation

Researchers identified RedCurl APT group activity in Canada in late 2024, where the attackers...

API Security Webinar

72 Hours to Audit-Ready API Security

APIs present a unique challenge in this landscape, as risk assessment and mitigation are often hindered by incomplete API inventories and insufficient documentation.

Join Vivek Gopalan, VP of Products at Indusface, in this insightful webinar as he unveils a practical framework for discovering, assessing, and addressing open API vulnerabilities within just 72 hours.

Discussion points

API Discovery: Techniques to identify and map your public APIs comprehensively.
Vulnerability Scanning: Best practices for API vulnerability analysis and penetration testing.
Clean Reporting: Steps to generate a clean, audit-ready vulnerability report within 72 hours.

More like this

Hackers Using YouTube Links and Microsoft 365 Themes to Steal Logins

Cybercriminals are executing sophisticated phishing attacks targeting Microsoft 365 users by employing deceptive URLs...

Credit Card Skimmer Hits WordPress Checkout Pages, Stealing Payment Data

Researchers analyzed a new stealthy credit card skimmer that targets WordPress checkout pages by...

Hackers Targeting Users Who Lodged Complaints On Government portal To Steal Credit Card Data

Fraudsters in the Middle East are exploiting a vulnerability in the government services portal....