Storm-0539 Targets Gift Card Issuers, Exploits Cloud for Profit

Microsoft has published a new Cyber Signals report, providing fresh insights into the activities of the hacking group Storm-0539 and the sharp rise in gift card thefts ahead of Memorial Day in the United States.

In the latest Cyber Signals report, Microsoft confirms that the attackers are targeting organizations that issue gift cards rather than end-users. The report also highlights the extensive abuse of cloud services to reduce operational costs.

Microsoft notes that the attackers become more active before major holidays: during Christmas last year, Storm-0539’s activity increased by 60%, and from March to May 2024, there was a notable 30% rise.

Methods of Operation of Storm-0539

Storm-0539

After gaining access to the target environment using stolen credentials, the hackers register their devices in the company’s MFA services to maintain access. They then move laterally across the network, compromising virtual machines, VPNs, SharePoint, OneDrive, Salesforce, and Citrix.

Ultimately, Storm-0539 obtains credentials that allow them to create new gift cards for subsequent sale on the dark web, in stores, or cashing out through money mules.

Typically, companies set a limit on the amount of a single gift card. For instance, if the limit is $100,000, the attackers create a card for $99,000, send the card code to themselves, and cash it out. The primary motivation of the hackers is to steal gift cards and sell them at a discount. In some cases, the attackers stole up to $100,000 per day from certain companies, as explained by Microsoft.

To establish new infrastructure, cybercriminals create websites mimicking charitable organizations to register with cloud service providers. They use “pay-as-you-go” or free trial plans, abusing these rates for large-scale operations with minimal costs.

Protection Recommendations

Microsoft advises operators of gift card issuance portals to constantly monitor for anomalies and implement conditional access policies that would prevent the creation of an unusually large number of cards by a single account.

Additionally, organizations are recommended to implement measures against token reuse, adhere to the principle of least privilege, and use FIDO2 security keys to protect high-risk accounts. Vendors can also play a crucial role in disrupting the profit chain of Storm-0539 and similar attackers by recognizing and rejecting orders with suspicious signs.

Although the attacks do not affect buyers, internet users preparing for the holidays should exercise increased caution regarding scams, fake stores, and malicious advertisements.

Storm-0539 is a financially motivated hacker group from Morocco, active since 2021 and specializing in gift and payment card fraud. These cybercriminals are known for their reconnaissance activities and specially crafted phishing emails and SMS messages targeting employees of organizations that issue gift cards.