Summary:
With US holidays like Memorial Day upcoming, Microsoft is warning up an uptick in activity from Storm-0539, a cybercriminal group operating out of Morocco that is known for targeting gift card portals linked to large retailers, luxury brands, and well-known fast-food restaurants. According to Microsoft, Storm-0539 conducts deep reconnaissance and sophisticated cloud-based techniques to target gift card creators. Notably, Storm-0539 initiates its reconnaissance by sending smishing texts to personal and work mobile phones belonging to employees at targeted organizations. After gaining access to one of these employees’ accounts, the group will move laterally across the organizational network and identify the gift card business process, further pivoting to employees covering that department. This access is then used to create fraudulent gift cards, with Microsoft seeing cases of the actor stealing up to $100,000 per day from targeted entities.

Security Officer Comments:
Storm-0539 heavily relies on cloud-based infrastructure to conduct its operations and stay under the radar. According to Microsoft, this group has been observed presenting itself as a legitimate organization to cloud providers to gain temporary applications, storage, and other initial free resources that can be used to carry out its attacks. In some cases, Storm-0539 has downloaded legitimate copies of f 501(c)(3) letters issued by the Internal Revenue Service (IRS) from non-profit organizations’ public websites to receive sponsors or discounts from major cloud providers. This group has also been observed creating free trials or student accounts on cloud service platforms, typically providing 30 days of access. These tactics enable the group to avoid up-front hosting costs while making attribution more challenging.

Suggested Corrections:
Microsoft set out a series of recommendations for organizations that offer gift cards to defend against these sophisticated tactics. These include: