Microsoft has identified a surge in fraudulent activities by the Moroccan-based cybercriminal group Storm-0539, also known as Atlas Lion, targeting gift card systems during holiday periods. The group, active since late 2021, has shifted from attacking cash registers and kiosks to compromising online cloud and identity services. This evolution has enabled them to infiltrate the gift card portals of major retailers and other businesses.
Advanced Tactics and Methods
Storm-0539 employs sophisticated techniques to breach gift card systems. Initially, the group gathers critical information such as employee directories, contact lists, and email inboxes from targeted organizations. They then send smishing texts—fraudulent messages aimed at stealing personal information—to both personal and work phones of employees. Once an employee's account is compromised, the attackers move laterally through the network, identifying the gift card business process and targeting accounts linked to this portfolio.
Upon gaining access to a company's gift card portal, Storm-0539 can create new gift cards for self-redemption or sell them to other cybercriminal groups on the black market. The group also has the capability to cash out the value of these cards. Microsoft notes that holiday shopping periods such as Memorial Day, the Fourth of July, Labor Day, and the end-of-year holiday season often see an uptick in fraudulent activities by Storm-0539.
Increased Activity and Evolution
Microsoft observed a 30% increase in activity from Storm-0539 between March and May 2024. The group has evolved from targeting point-of-sale devices to attacking cloud and identity services. Storm-0539 uses sophisticated methods to gain persistent access to cloud environments, mimicking nation-state-sponsored threat actors. The group registers its own malicious devices to victim networks to bypass multifactor authentication protections.
Gift cards are particularly attractive to cybercriminals because they lack customer names or bank accounts, which can reduce scrutiny of their use. This anonymity makes them a lucrative target for groups like Storm-0539. The group often adopts the guise of legitimate organizations, using typosquatting domain names to lure victims.
Preventive Measures and Recommendations
To mitigate these risks, Microsoft recommends several strategies for companies offering gift cards. These include using secure gift card platforms with built-in fraud protection services, educating employees on recognizing and avoiding phishing attempts, and implementing phishing-resistant multi-factor authentication (MFA) methods. By adopting these measures, businesses can better protect themselves against the evolving tactics of cybercriminal groups like Storm-0539.
Organizations should treat gift card portals as high-value targets and continuously monitor for anomalous activities. Implementing conditional access policies and educating security teams on social engineering tactics are crucial defensive measures. Investing in cloud security best practices and applying the least privilege access principle are recommended to further safeguard against these threats.