Microsoft is asking consideration to a Morocco-based cybercrime group dubbed Storm-0539 that is behind present card fraud and theft by extremely subtle e mail and SMS phishing assaults.
“Their primary motivation is to steal gift cards and profit by selling them online at a discounted rate,” the corporate mentioned in its newest Cyber Indicators report. “We’ve seen some examples where the threat actor has stolen up to $100,000 a day at certain companies.”
Storm-0539 was first spotlighted by Microsoft in mid-December 2023, linking it to social engineering campaigns forward of the year-end vacation season to steal victims’ credentials and session tokens by way of adversary-in-the-middle (AitM) phishing pages.
The gang, additionally known as Atlas Lion and lively since at the least late 2021, is understood to then abuse the preliminary entry to register their very own units to bypass authentication and procure persistent entry, achieve elevated privileges, and compromise present card-related providers by creating bogus present playing cards to facilitate fraud.
The assault chains are additional designed to realize covert entry to a sufferer’s cloud setting, permitting the menace actor to hold out intensive reconnaissance and weaponize the infrastructure to attain their finish targets. Targets of the marketing campaign embrace giant retailers, luxurious manufacturers, and well-known fast-food eating places.
The top objective of the operation is to redeem the worth related to these playing cards, promote the present playing cards to different menace actors on black markets, or use cash mules to money out the present playing cards.
The felony concentrating on of present card portals marks a tactical evolution of the menace actor, which has beforehand engaged in stealing fee card information through the use of malware on point-of-sale (PoS) units.
The Home windows maker mentioned it noticed a 30% improve in Storm-0539 intrusion exercise between March and Might 2024, describing the attackers as leveraging their deep information of the cloud to “conduct reconnaissance on an organization’s gift card issuance processes.”
Earlier this month, the U.S. Federal Bureau of Investigation (FBI) launched an advisory [PDF] warning of smishing assaults perpetrated by the group concentrating on the present card departments of retail firms utilizing a classy phishing package to bypass multi-factor authentication (MFA).
“In one instance, a corporation detected Storm-0539’s fraudulent gift card activity in their system, and instituted changes to prevent the creation of fraudulent gift cards,” the FBI mentioned.
“Storm-0539 actors continued their smishing attacks and regained access to corporate systems. Then, the actors pivoted tactics to locating unredeemed gift cards, and changed the associated email addresses to ones controlled by Storm-0539 actors in order to redeem the gift cards.”
It is value noting that the menace actor’s actions transcend stealing the login credentials of present card division personnel, their efforts additionally prolong to buying safe shell (SSH) passwords and keys, which might then be offered for monetary achieve or used for follow-on assaults.
One other tactic adopted by Storm-0539 entails using authentic inner firm mailing lists to disseminate phishing messages upon gaining preliminary entry, including a veneer of authenticity to the assaults. It has additionally been discovered creating free trials or pupil accounts on cloud service platforms to arrange new web sites.
The abuse of cloud infrastructure, together with by impersonating authentic non-profits to cloud service suppliers, is an indication that financially motivated teams are borrowing a web page out of superior state-sponsored actors’ playbooks to camouflage their operations and stay undetected.
Microsoft is urging firms that subject present playing cards to deal with their present card portals as high-value targets by monitoring for suspicious logins.
“Organizations should also consider complementing MFA with conditional access policies where authentication requests are evaluated using additional identity-driven signals like IP address location information or device status, among others,” the corporate famous.
“Storm-0539 operations are persuasive due to the actor’s use of legitimate compromised emails and the mimicking of legitimate platforms used by the targeted company.”
The event comes as Enea revealed particulars of felony campaigns that exploit cloud storage providers like Amazon S3, Google Cloud Storage, Backblaze B2, and IBM Cloud Object Storage for SMS-based present card scams that redirect customers to malicious web sites with an goal to plunder delicate info.
“The URL linking to the cloud storage is distributed via text messages, which appear to be authentic and can therefore bypass firewall restrictions,” Enea researcher Manoj Kumar mentioned.
“When mobile users click on these links, which contain well-known cloud platform domains, they are directed to the static website stored in the storage bucket. This website then automatically forwards or redirects users to the embedded spam URLs or dynamically generated URLs using JavaScript, all without the user’s awareness.”
In early April 2023, Enea additionally uncovered campaigns that contain URLs constructed utilizing the authentic Google deal with, “google.com/amp,” which is then mixed with encoded characters to hide the rip-off URL.
“This kind of trust is being exploited by malicious actors trying to trick mobile subscribers by hiding behind seemingly legitimate URLs,” Kumar identified. “Attacker techniques can include luring subscribers to their websites under false pretenses, and stealing sensitive information such as credit card details, email or social media credentials, and other personal data.”
