A hacking group out of Morocco has been spotted infiltrating companies to print out gift card codes valued at up to $100,000 per day. The group, Storm-0539, prints the high-value gift cards with the goal of selling them to buyers on the black market at discounted rates, according to security researchers at Microsoft. “Gift cards are attractive targets for fraud because, unlike credit or debit cards, there are no customer names or bank accounts attached to them,” Microsoft says in a report about the growing risk of gift card fraud.Indeed, fraudsters will sometimes ask victims to pay them using gift card codes to dodge being traced. But in this case, the hackers are going to the source and printing out gift card codes worth thousands. They’ll then redeem the cards’ value, sell them to others, “or use money mules to cash out the gift cards,” Microsoft says. Storm-0539, also known as Atlas Lion, has been active since at least late 2021 and focuses its activities on cybercrime, such as breaking into payment card accounts. But in recent months, Microsoft has also observed the group compromising gift card code systems, particularly before major holiday seasons. “Between March and May 2024, ahead of the summer holiday season, Microsoft observed a 30% increase in intrusion activity from Storm-0539,” the company notes. “Between September and December 2023, we observed a 60% increase in attack activity, coinciding with fall and winter holidays.”The group often infiltrates companies by sending phishing messages to employees’ inboxes and phones to trick them into giving the hijackers access to their accounts. “Once an employee account at a targeted organization is infiltrated, the attackers move laterally through the network, trying to identify the gift card business process, pivoting toward compromised accounts linked to this specific portfolio,” Microsoft adds.
Recommended by Our Editors
The hackers will then issue high-value gift cards through compromised employee accounts at the merchant. To avoid being traced, Storm-0539 will stage its attacks through legitimate cloud service providers by pretending to be a nonprofit or student and tricking the cloud provider into offering them a free trial or discounted access.Microsoft’s report comes weeks after the FBI issued a similar alert about Storm-0539. To fend off the threat, Microsoft says merchants issuing gift cards “should treat their gift card portals as high-value targets” and consistently monitor and audit for suspicious activity. “Attackers like Storm-0539 assume they will find users with excessive access privileges they can compromise for outsized impact,” Microsoft adds. “Establishing a regular review of privileges, distribution list memberships, and other attributes can help limit the fallout of an initial intrusion and make intruders’ work more difficult.”
Like What You’re Reading?
Sign up for SecurityWatch newsletter for our top privacy and security stories delivered right to your inbox.
This newsletter may contain advertising, deals, or affiliate links. Subscribing to a newsletter indicates your consent to our Terms of Use and Privacy Policy. You may unsubscribe from the newsletters at any time.