HQ/EMEAFind out how we can help your business
Microsoft revealed new information about the hacking group Storm-0539 and a notable increase in gift card theft that could impact the upcoming Memorial Day celebration in the United States.
Reports highlighted the threat group’s advanced techniques in gift card theft and fraud. Researchers claimed its tactics were similar to those of state-sponsored hackers and sophisticated cyberespionage actors.
Moreover, these threat actors allegedly increase their activity before a notable holiday, indicating that they commonly conduct cybercriminal operations when people are distracted by recent events.
Recent investigations also confirm that threat actors target enterprises that offer gift cards rather than end consumers. It also exposes the widespread misuse of cloud service providers for low-cost operations.
Storm-0539 is a financially motivated group that targets and runs gift card and payment card fraud.
Experts stated that Storm-0539 are well-known hackers that utilise reconnaissance efforts and custom-crafted email and SMS phishing attacks that target employees of particular firms, usually gift card providers.
Once they gain access to the target environment through stolen accounts, they register their devices with the company’s MFA platforms to establish persistence before compromising virtual machines, VPNs, SharePoint, OneDrive, Salesforce, and Citrix environments.
Subsequently, the group gains access to credentials that allow them to generate new gift cards to redeem on dark web markets, in stores, or by cashing them out through money mules.
Furthermore, to build new infrastructure for their attacks, these threat actors generate websites that impersonate non-profit organisations and use them to sign up to cloud service providers.
Microsoft recommends that gift card issuing portal providers should regularly monitor for unusual activities and set conditional access controls to prevent a single, potentially compromised account from generating a massive number of cards.
Organisations should also install token replay protection mechanisms, enforce least privilege access, and secure high-risk accounts. Vendors can also help disrupt Storm-0539’s and related threat actors’ profit chains by spotting and rejecting questionable orders.
Still, the best defence against these attacks is for users to be knowledgeable and cautious about these schemes. Internet users planning to take advantage of any sale on Memorial Day should exercise extreme vigilance against fraud, fake stores, and malvertising.
