Picture: Midjourney
The FBI warned retail corporations in the US {that a} financially motivated hacking group has been concentrating on staff of their reward card departments in phishing assaults since not less than January 2024.
Tracked as Storm-0539, this hacking group targets the private and work cellular gadgets of retail division employees utilizing a complicated phishing package that permits them to bypass multi-factor authentication.
Upon infiltrating an worker’s account, the attackers transfer laterally by way of the community, attempting to establish the reward card enterprise course of and pivoting in direction of compromised accounts linked to this particular portfolio.
Along with stealing the login credentials of reward card division personnel, their efforts prolong to buying safe shell (SSH) passwords and keys. Along with stolen worker data equivalent to names, usernames, and telephone numbers, these may very well be offered for monetary achieve or exploited by Storm-0539 in future assaults.
Ought to the hackers achieve breaching the sufferer’s company reward card division, they use compromised worker accounts to generate fraudulent reward playing cards.
“In one instance, a corporation detected STORM-0539’s fraudulent gift card activity in their system, and instituted changes to prevent the creation of fraudulent gift cards,” the FBI mentioned in a Personal Business Notification [PDF] issued this week.
“STORM-0539 actors continued their smishing attacks and regained access to corporate systems. Then, the actors pivoted tactics to locating unredeemed gift cards, and changed the associated email addresses to ones controlled by STORM-0539 actors in order to redeem the gift cards.”
The best way to defend in opposition to Storm-0539’s assaults
The FBI advises retail firms throughout the US to evaluate and replace their incident response plans and think about coaching their staff to acknowledge phishing scams and to not share delicate data like credentials by way of e-mail, chat, or telephone calls to scale back the danger and influence of such phishing assaults.
Potential targets should additionally require multi-factor authentication wherever potential, use up-to-date antivirus and anti-malware options, implement robust password insurance policies, and implement the precept of least privilege throughout their networks.
The FBI’s PIN follows a mid-December warning from Microsoft, which cautioned of a surge in Storm-0539 reward card fraud and theft assaults throughout the vacation season.
“After gaining access to an initial session and token, Storm-0539 registers their own device for subsequent secondary authentication prompts, bypassing MFA protections and persisting in the environment using the fully compromised identity,” Microsoft mentioned.
“With each successful compromise, Storm-0539 escalates privileges, moves laterally, and accesses cloud resources to collect specific information. Storm-0539 enumerates internal resources and identifies gift card-related services that can be used for gift card fraud.”
