Financial Crime World

Cybercrime in Finance: Morocco-Based Group Storm-0539 Steals Gift Cards Worth $100,000 a Day

A sophisticated cybercrime group based in Morocco has been stealing gift cards worth up to $100,000 a day through highly targeted email and SMS phishing attacks, according to Microsoft’s latest Cyber Signals report.

The Group: Storm-0539 (Atlas Lion)

The group, known as Storm-0539 or Atlas Lion, was first spotted by Microsoft in mid-December 2023. Their primary motivation is to steal gift cards and sell them online at a discounted rate.

Modus Operandi

Once the attackers gain access to a victim’s system, they:

  • Abuse initial access to register their own devices
  • Bypass authentication
  • Obtain persistent access to compromise gift card-related services
  • Create bogus gift cards to facilitate fraud
  • Use stolen credentials to carry out extensive reconnaissance in a victim’s cloud environment

Tactics Used by the Group

The group has been observed using various tactics, including:

  • Adversary-in-the-middle (AitM) phishing pages to steal victims’ credentials and session tokens
  • Legitimate internal company mailing lists to disseminate phishing messages
  • Creating free trials or student accounts on cloud service platforms to set up new websites
  • Impersonating legitimate non-profits to cloud service providers

Targets of the Campaign

The group has targeted large retailers, luxury brands, and well-known fast-food restaurants.

FBI Warning

The FBI released an advisory earlier this month warning of smishing attacks perpetrated by the group targeting the gift card departments of retail corporations. In one instance, a corporation detected Storm-0539’s fraudulent gift card activity in their system but was unable to prevent the creation of fraudulent gift cards.

Recommendations from Microsoft

Microsoft is urging companies that issue gift cards to:

  • Treat their gift card portals as high-value targets
  • Monitor for suspicious logins
  • Complement multi-factor authentication (MFA) with conditional access policies where authentication requests are evaluated using additional identity-driven signals like IP address location information or device status

Cloud Storage Services Exploitation

Enea recently revealed details of criminal campaigns that exploit cloud storage services to send SMS-based gift card scams, which redirect users to malicious websites in an attempt to plunder sensitive information.