US retailers under attack by gift card-thieving cyber gang

Earlier this month, the FBI published a private industry notification about Storm-0539 (aka Atlas Lion), a Morocco-based cyber criminal group that specializes in compromising retailers and creating fraudulent gift cards.

Microsoft then went more in-dept on the group’s tactics, techniques, and procedures (TTPs), which demonstrate their significant reconnaissance skills, their ability to leverage cloud environments, as well as their efforts to keep their operational costs low.

“Storm-0539’s skill at compromising and creating cloud-based attack infrastructure lets them avoid common upfront costs,” Microsoft’s analysts noted.

The group present themselves as legitimate non-profits to cloud providers to receive sponsored or discounted services, uses free trials or student accounts, and compromises recently registered WordPress domains to host fraudulent pages.

How Storm-0539 operates

The group figures out employees’ personal and work mobile phone numbers and emails by analyzing publicly available information, then targets them with messages urging them to follow the provided link.

Storm-0539 impersonating a targeted employee’s company help desk. (Source: Microsoft Threat Intelligence)

“[Targeted users] are redirected to an AiTM phishing page for credential theft and secondary authentication token capture,” the analysts shared.

Armed with that info, they can registering their own devices to victim environments so they can receive multifactor authentication (MFA) prompts associated with a compromised victim account.

“Once an employee account at a targeted organization is infiltrated, the attackers move laterally through the network, trying to identify the gift card business process, pivoting toward compromised accounts linked to this specific portfolio,” Microsoft says.

The group creates fraudulent gift cards using compromised employee accounts, then they either redeem the value associated with those cards, sell the gift cards on black markets, or use money mules to cash out them out.

“In one instance, a corporation detected Storm-0539’s fraudulent gift card activity in their system, and instituted changes to prevent the creation of fraudulent gift cards,” the FBI said.

“Storm-0539 actors continued their smishing attacks and regained access to corporate systems. Then, the actors pivoted tactics to locating unredeemed gift cards, and changed the associated email addresses to ones controlled by Storm-0539 actors in order to redeem the gift cards.”

Targets and defensive actions to take

Microsoft says that in the last two months they’ve observed a 30% increase in intrusion activity from Storm-0539, to take advantage of the summer holiday season in the US. (But every holiday season is accompanied by increased gift card fraud.)

The criminal group has been active since at least 2021 and they are constantly switching techniques to adapt to the changes made by their preferred targets: large retailers, luxury brands, and fast-food restaurants.

The company has recommended the implementation of a number of countermeasures to minimize the risk of a successful Storm-0539 compromise.