Financial Crime World

Cybercrime Group in Morocco Targets US Retailers with Gift Card Scams, Microsoft Reveals

===========================================================

A sophisticated cybercrime group based in Morocco has been impersonating non-profit organizations to gain access to cloud accounts, which it then uses to operate a growing number of gift card theft scams targeting top US retailers. According to researchers at Microsoft, the group, tracked as Storm-0539 or Atlas Lion, has increased its activity by 30% since March.

Targeting Major Retailers

The group specializes in targeting major retailers, focusing on key employees or offices that control payment and gift card operations. After successfully phishing those employees, the attackers gain access to intricate cloud environments and specific company procedures, allowing them to maximize the amount of money stolen through fraudulently issued payment or gift cards.

Phishing and Cloud Infiltration

The FBI warned in May that the group has been highly successful in targeting key employees’ personal and work cell phones, bypassing multi-factor authentication protocols by adding their own phones to systems. In one case, a retailer noticed Storm-0539 activity but was unable to stop it, allowing the group to continue its attack and target unredeemed gift cards.

Unique Tactics

The group is unique in the cybercrime ecosystem due to its base in Morocco, adept knowledge of cloud environments, and lack of reliance on malware. “They essentially log in instead of break in,” said Emiel Haeghebaert, a senior hunt analyst at Microsoft’s Threat Intelligence Center.

Scam Operation

To carry out their scams, the group creates domains posing as legitimate non-profit organizations, obtains discounted or free cloud services, and uses virtual machines to host infrastructure tied to their operations. The group’s reconnaissance and ability to leverage cloud environments are similar to those of nation-state-sponsored threat actors, according to Microsoft researchers.

Defending Against the Attack

While it is unclear how much money the group has stolen, Haeghebaert noted that they are highly successful in understanding individual companies’ gift card policies and staying just under the threshold. Companies can defend themselves against this strain of attack by:

  • Employing defenses such as enabling multi-factor authentication for all employees
  • Implementing the principle of least privilege
  • Treating gift card portals and infrastructure as high-value targets

Monitoring Network Activity

According to Haeghebaert, companies should also monitor baseline activity on their networks, flagging anomalous behavior such as unusual login times or locations. “Something like that would be extremely effective against this group,” he said.

By taking proactive steps to secure their cloud environments and defend against these types of attacks, retailers can reduce the risk of falling victim to Storm-0539’s gift card scams.