Moroccan Cybercrime Group Engages in Gift Card Fraud

Microsoft has identified a cybercrime group from Morocco, known as Storm-0539, involved in sophisticated email and SMS phishing attacks to commit gift card fraud.

According to Microsoft’s latest report, the primary goal of Storm-0539 is to steal gift cards and sell them at a discount online. Some companies have reported daily losses of up to $100,000 due to these activities.

Storm-0539, also referred to as Atlas Lion, has been active since late 2021. The group uses social engineering techniques, especially around the holiday season, to steal credentials and session tokens via adversary-in-the-middle (AitM) phishing pages. Once they gain initial access, they register their own devices to bypass authentication, obtain elevated privileges, and create fake gift cards for fraudulent purposes.

Their attack strategy includes infiltrating a victim’s cloud environment to conduct reconnaissance and exploit the infrastructure to achieve their goals. The targets include large retailers, luxury brands, and popular fast-food chains.

The endgame of their operation is to redeem the gift cards’ value, sell them on black markets, or use intermediaries to cash them out. This shift to targeting gift card portals represents a tactical evolution for the group, which previously focused on stealing payment card data using malware on point-of-sale (PoS) devices.

Microsoft noted a 30% increase in Storm-0539 activity between March and May 2024, highlighting the group’s advanced knowledge of cloud systems to examine an organization’s gift card issuance processes.

The U.S. Federal Bureau of Investigation (FBI) also issued an advisory warning of Storm-0539’s smishing attacks against retail corporations’ gift card departments, using sophisticated phishing kits to bypass multi-factor authentication (MFA). In one case, a corporation detected and blocked Storm-0539’s fraudulent gift card activities, but the group adapted and continued their attacks by targeting unredeemed gift cards.

Storm-0539’s tactics extend beyond stealing login credentials, as they also acquire secure shell (SSH) passwords and keys for financial gain or further attacks. They use internal company mailing lists to send phishing messages, adding legitimacy to their attacks, and create free trials or student accounts on cloud platforms to set up phishing websites.

The group impersonates legitimate non-profits to abuse cloud infrastructure, mirroring techniques used by advanced state-sponsored actors to evade detection.

Microsoft advises companies issuing gift cards to treat their portals as high-value targets, monitor for suspicious logins, and complement MFA with conditional access policies that evaluate additional identity-driven signals like IP address location or device status.

The development follows researcher’s findings of criminal campaigns exploiting cloud storage services like Amazon S3, Google Cloud Storage, Backblaze B2, and IBM Cloud Object Storage for SMS-based gift card scams. These scams use seemingly legitimate URLs to redirect users to malicious websites that steal sensitive information.

Researcher also revealed that attackers construct URLs using legitimate Google addresses combined with encoded characters to hide scam URLs. These techniques exploit the trust in legitimate URLs to trick mobile users into providing personal data, such as credit card details and social media credentials.

To protect your business from Storm-0539’s gift card fraud, it’s crucial to implement multi-factor authentication (MFA) with conditional access policies that evaluate additional identity-driven signals such as IP address and device status. Regularly monitor for suspicious logins and unusual activity related to gift card transactions.