Through gift card fraud, Moroccan cybercriminals steal up to $100K daily

Microsoft is reaching awareness to a Morocco-based cybercrime group dubbed Storm-0539 that's behind gift card scams and stealing via highly refined email and SMS phishing attacks. "Their prior reason is to rob gift cards and earnings by marketing them online at a discounted price," the business stated in its latest Cyber Signals report. "We've seen some samples where the danger actor has looted up to $100,000 a day at specific organizations."

Storm-0539 was first highlighted by Microsoft in mid-December 2023, connecting it to social engineering movements forward of the year-end vacation season to rob victims' certificates and session tickets through adversary-in-the-middle (AitM) phishing pages. The unit, also named Atlas Lion and active since at least late 2021, is known to then manipulate the initial key to register their machines to avoid authentication and get continued access, achieve high benefits, and mean gift card-related services by making fake gift cards to reduce fake.

The attack chains are also developed to acquire confidential keys to a victim's cloud environment, permitting the danger actor to take out comprehensive surveys and weaponize the infrastructure to gain their future destinations. Targets of the movement include extensive dealers, luxury brands, and famous fast-food cafes. The future purpose of the process is to save the significance associated with those cards, sell the gift cards to different cyberpunks on black markets, or utilize money smugglers to cash out the gift cards.

The illegal targeting of gift card outlets scores a tactical change of the threat actor, which has yet to encounter looting payment card data by utilizing malware on point-of-sale (PoS) machines. The Windows engineer stated it marked a 30% growth in Storm-0539 intrusion activity between March and May 2024, defining the assaulters as leveraging their in-depth learning of the cloud to "perform surveillance on an association's gift card allocation strategies."

Earlier this month, the U.S. Federal Bureau of Investigation (FBI) released an advisory [PDF] notification of smishing attacks perpetrated by the company targeting the gift card units of retail businesses operating refined phishing tools to avoid multi-factor authentication (MFA). "In one example, a company caught Storm-0539's dishonest gift card action in their design, and created modifications to control the result of dishonest gift cards," the FBI stated.

"Storm-0539 actors resumed their smishing attacks and recovered access to corporate systems. Then, the actors shifted tactics to finding unredeemed gift cards, and modified the associated email addresses to ones owned by Storm-0539 actors to save the gift cards."

It's worth mentioning that the dangerous actor's actions go further by robbing the login details of gift card unit personnel. Their actions also spread to developing secure shell (SSH) passwords and keys, which could then be traded for economic growth or utilized for follow-on raids. Another tactic embraced by Storm-0539 entails the usage of fair interior business mailing checklists to share phishing notes upon achieving initial access, adding a front of realism to the attacks. It has also been discovered to make free tests or scholar accounts on cloud service media to set up new websites.

The misuse of cloud infrastructure, containing imitating honest nonprofits to cloud service providers, is a character that financially inspired parties are borrowing a page out of progressive state-sponsored actors' playbooks to hide their procedures and stay hidden. Microsoft is encouraging businesses that give gift cards to feast their gift card outlets as high-value targets by watching for questionable logins.

"Institutions should also believe in complementing MFA with conditional access guidelines where authentication proposals are assessed utilizing different identity-driven movements like IP address area data or device group, among others," the business stated. "Storm-0539 operations are clear due to the actor's use of fair compromised emails and the mimicking of honest media used by the targeted organization."

The development comes as Enea announced details of illegal movements that manipulate cloud hold services like Amazon S3, Google Cloud Storage, Backblaze B2, and IBM Cloud Object Storage for SMS-based gift card frauds that divert users to negative websites to take sensitive knowledge. "The URL relating to the cloud storage is spread through text notes, which seem to be accurate and can thus avoid firewall limitations," Enea investigator Manoj Kumar expressed.

"When mobile users click on these links, which include well-known cloud medium territories, they are referred to the fixed website held in the storage bucket. This website then automatically delivers or diverts users to the implanted fraudURLs or dynamically developed URLs utilizing JavaScript, all without the user's attention." In early April 2023, Enea also found movements that affect URLs created operating the honest Google address, "," which is then integrated with encoded symbols to cover the fraud URL.

"This type of faith is being manipulated by hostile actors trying to cheat mobile subscribers by concealing behind apparently honest URLs," Kumar pointed out. "Attacker strategies can contain attracting subscribers to their websites under fronts, and robbing susceptible knowledge such as credit card details, email or social media credentials, and other confidential data."