Sharp Rise in Gift Card Theft by Hacking Group Storm-0539 Ahead of Memorial Day

Foresiet, your trusted cybersecurity partner, presents the latest insights from Microsoft's "Cyber Signals" report, highlighting the hacking group Storm-0539 and a notable increase in gift card theft as we near the Memorial Day holiday in the United States.

The FBI recently issued a warning about Storm-0539 (also known as "Ant Lion"), emphasizing the group's advanced techniques in executing gift card theft and fraud. Their tactics are on par with those of state-sponsored hackers and sophisticated cyberespionage actors. Microsoft has observed a 60% increase in Storm-0539 activity during last year's winter holidays and a notable 30% rise between March and May 2024.

Storm-0539 Profile and Modus Operandi

Storm-0539 is a financially motivated threat group from Morocco, active since 2021, with a primary focus on gift card and payment card fraud. These threat actors are notorious for their thorough reconnaissance efforts and custom-crafted phishing messages targeting employees of organizations that issue gift cards.

After gaining access to the target environment using stolen accounts, they register their own devices with the company's multi-factor authentication (MFA) platforms to maintain persistence.

They then move laterally by compromising virtual machines, VPNs, SharePoint, OneDrive, Salesforce, and Citrix environments. Ultimately, Storm-0539 acquires credentials that allow them to create new gift cards, which they then redeem on dark web markets, in stores, or by cashing them out using money mules.

Microsoft's Cyber Signals report explains, "Typically, organizations set a limit on the cash value that can be issued to an individual gift card. For example, if that limit is $100,000, the threat actor will issue a card for $99,000 then send themselves the gift card code and monetize them."

To facilitate their attacks, the threat actors create websites impersonating non-profit organizations to sign up with cloud service providers. These accounts join "pay as you go" or "free trial" tiers, which they exploit for large-scale operations at minimal cost.

Microsoft notes that Storm-0539's reconnaissance capabilities and their adeptness at exploiting cloud environments mirror those observed in state-sponsored threat actors. This indicates a trend where tactics commonly associated with espionage and geopolitical adversaries are now being adopted by financially motivated cybercriminals.

Defense Recommendations

To defend against Storm-0539, Microsoft suggests that gift card issuing portal operators constantly monitor for anomalies and implement conditional access policies to prevent a single hijacked account from generating an unusually large number of cards. Additionally, organizations should implement token replay protection measures, enforce least privilege access, and use FIDO2 security keys to protect high-risk accounts.

Merchants can also help disrupt the profit chain for Storm-0539 and similar threat actors by recognizing and rejecting suspicious orders. While these attacks do not directly impact holiday shoppers, internet users preparing for Memorial Day should remain vigilant against scams, fake shops, and malvertising. p>

Foresiet: Your Partner in Cybersecurity

At Foresiet, we understand the importance of staying ahead of cyber threats. Our advanced security solutions and expertise are designed to protect your organization from sophisticated attacks like those carried out by Storm-0539. By implementing robust security measures and maintaining constant vigilance, you can safeguard your systems and data against evolving cyber threats.

Trust Foresiet to provide the tools and knowledge needed to defend your organization against cybercriminals. Stay secure and prepared with Foresiet, your partner in cybersecurity.

About Foresiet!

Foresiet is the pioneering force in digital security solutions, offering the first integrated Digital Risk Protection SaaS platform. With 24x7x365 dark web monitoring and proactive threat intelligence, Foresiet safeguards against data breaches and intellectual property theft. Our robust suite includes brand protection, takedown services, and supply chain assessment, enhancing your organization's defense mechanisms. Attack surface management is a key component of our approach, ensuring comprehensive protection across all vulnerable points. Compliance is assured through adherence to ISO27001, NIST, GDPR, PCI, SOX, HIPAA, SAMA, CITC, and Third Party regulations. Additionally, our advanced antiphishing shield provides unparalleled protection against malicious emails. Trust Foresiet to empower your organization to navigate the digital landscape securely and confidently.