New Gift Card Scam Targets Retailers, Not Buyers, to Print Endless $$$

A Moroccan threat group has upgraded the classic gift card scam by targeting not retail customers but the systems that register the cards, allowing them to "print" money at will.

Scammers have been using social engineering tactics to convince regular people to buy them gift cards for years. The playbook hasn't changed much over time, because it hasn't had to; it's as effective and profitable today as ever.

Perhaps that's why the so-called Storm-0539, also known as Atlas Lion, cybercrime group's latest campaign stands out: it took something that wasn't broken and made it better. Instead of having to work individual victims — always labor-intensive, with a potentially low rate of return — the attackers compromise the retailers themselves, specifically the portals they use to issue gift cards.

Here's how it works, according to a new report from Microsoft.

Nouveau Gift Card Racket

Instead of retail customers, Storm-0539 targets retail employees with phishing texts. The aim of its social engineering is to compromise their employer accounts.

Using an employee's account, the cybercriminals can begin to see into and move laterally within a retailer's network. Sometimes they'll use the first employee to compromise others, with phishing attempts sent through internal mailing lists that mimic the company's usual norms of business. Otherwise, with access to accounts of sufficient privilege, they steal information about various services and accounts they can then use to ultimately reach the part of the system that handles gift cards.

"Storm-0539 gathers information on a wide variety of resources in targeted environments to advance toward its objective to steal gift cards," notes Emiel Haeghebaert, senior hunt analyst at the Microsoft Threat Intelligence Center. This might include resources relating to OneDrive, Salesforce, Citrix, and more, he says.

Case in point: "When the group targets resources such as SharePoint or VPN appliances, this is typically because those resources contain additional information or enable access that is required to ultimately access gift card infrastructure," he says. "For example, many organizations require an active VPN connection before users can access sensitive files and resources. Therefore, Storm-0539 may have to first obtain access to VPN resources and documentation before being able to continue with the intrusion."

As Microsoft tells it, Storm-0539's reconnaissance and cloud skills are at the level of what it observes from nation-state-level actors.

Through whatever means necessary to get there, Storm-0539 wades through retailers' environments until it obtains access to their gift card portal. Using a compromised employee account, it creates as many new gift cards as possible, worth just shy of whatever arbitrary dollar amount limit the retailer has set, and as quickly as possible. It then cashes them out, or uses money mules to cash them out, or sells them to other malicious actors on the Dark Web.

Combatting Storm-0593

The timing of Microsoft's reporting is deliberate. Predictably, Storm-0593 always ramps up in anticipation of holiday seasons: summer, Labor Day, Thanksgiving, Black Friday, winter holidays, and, this weekend, Memorial Day. The group's malicious activity from September to December 2023, for example, was 60% higher than usual, and it's been up 30% in the past few months.

To prepare for this threat actor, and the others that inevitably will follow it, Microsoft recommends that organizations adopt phishing-resistant multifactor authentication (MFA), strict password reset measures, token replay and other fraud protections, and principles of least privilege, as well as educate employees on the risks of this scam.

The difference good security makes here has already been proven. Thanks to increased collaboration and information-sharing, Microsoft reports, "We have observed an increase in major retailers’ ability to effectively ward off Storm-0539 activity in recent months."