Morocco-based cybercriminals cashing in on bold gift card scams, Microsoft says
A Morocco-based cybercriminal operation is breaching the systems of large retailers in order to fraudulently issue gift card codes to themselves, according to a new Microsoft report.
Tagged as Atlas Lion or Storm-0539, the group has been spotlighted repeatedly by Microsoft over the last year for its sophisticated tactics in breaching retailers.
“Rather than scam or phish everyday people directly for gift card-based payments, Storm-0539 infiltrates large retailers and fraudulently issues gift card codes to themselves, virtually printing their own money,” Microsoft’s Vasu Jakkal explained.
“Unlike most cybercriminals, who move on to new targets once their objective is complete, Storm-0539 remains in the system for repeated cash-outs.”
Gift cards have long been an attractive target for cybercriminals because they typically are not attached to specific customers or bank accounts, limiting the scrutiny of their use. Gift card scams typically increase during holiday seasons like Christmas or Labor Day.
Ahead of the Memorial Day holiday, Microsoft said it has seen a 30% increase in activity conducted by Storm-0539 compared to the preceding two months.
Microsoft has been tracking Storm-0539 since late 2021 and has watched as the group evolved from stealing payment card data by using malware on point-of-sale (POS) devices like retail cash registers and kiosks. As technology has evolved, they moved to targeting cloud services and card systems used by large retailers, luxury brands, and well-known fast-food restaurants.
Cloud compromises
Jakkal said Storm-0539 has become adept at conducting reconnaissance on organizations’ gift card issuance processes and employee access before compromising accounts.
“To remain undetected, Storm-0539 adopts the guise of legitimate organizations, obtaining resources from cloud providers under the pretense of being non-profits. They create convincing websites, often with misleading ‘typosquatting’ domain names a few characters different from authentic websites, to lure unsuspecting victims, further demonstrating their cunning and resourcefulness,” Jakkal explained.
Microsoft said it has seen the hackers download legitimate copies of 501(c)(3) letters issued by the Internal Revenue Service (IRS) from nonprofit organizations’ public websites — using them to get discounted cloud products from providers.
From there, they gain access to login information through phishing and smishing texts before registering their own devices into a victim’s network, allowing them to bypass MFA and maintain their access to an environment.
The group then creates new gift cards and either cashes them out through money mules or sells them to other cybercriminals at a discount on the dark web.
Microsoft researchers said they have seen instances where threat actors steal up to $100,000 a day at certain companies through individual gift cards.
Microsoft warned organizations that issue gift cards to treat card issuing portals as high value targets that need extensive checks and balances before cards are created.
In a report in December, Microsoft released a similar warning about Storm-0539 launching an increasing number of attacks during the holiday season.
Jonathan Greig
is a Breaking News Reporter at Recorded Future News. Jonathan has worked across the globe as a journalist since 2014. Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.