Hackers are increasingly sophisticated in their gift card scams.

Unlike credit or debit cards, gift cards are not tied to a specific customer name or bank account, making it difficult to track and identify suspicious transactions, according to Vasu Jakkal, Microsoft's vice president of security, compliance, identity and governance. This also makes them a new target for cybercriminals to research and exploit, in addition to traditional credit and debit cards.

Microsoft has detected increased activity by the Storm-0539 cybercrime group, also known as Atlas Lion, around holidays such as Labor Day, Thanksgiving, Black Friday, Christmas...

In light of this, Cyber Signals’ latest update focuses on gift card fraud, highlighting Storm-0539 and the sophisticated techniques and tenacity of cybercriminals, while providing guidance to retailers on how to avoid these risks.

Active since late 2021, the Storm-0539 (Atlas Lion) cybercrime group originated from hacker groups that previously specialized in malware attacks on point-of-sale (POS) devices such as cash registers and kiosks to compromise payment card data. Today, these groups have shifted their focus to the cloud and identity services to carry out regular attacks on payment and card systems associated with major retailers, luxury brands, and popular fast-food restaurants.

What makes Storm-0539 different is the deep understanding of cloud systems that the hackers use to spy on the gift card issuance process and employee access within the organization. Hackers infiltrate cloud systems to gain extensive access and identity privileges. Instead of collecting emails or documents for espionage, Storm-0539 uses persistent access to hijack accounts and create gift cards for malicious purposes, not specifically targeting end consumers.

To avoid detection, Storm-0539 disguises itself as legitimate organizations, taking resources from cloud providers under the guise of non-profit organizations. Hackers create websites that appear trustworthy, often using “spoofed domains with slight differences in characters” from legitimate sites to fool victims, further demonstrating their cunning and ingenuity.

Gift card issuers should recognize their gift card portals as high-value targets for cybercriminals and focus on continuous monitoring and auditing for unusual activity. Implementing conditional access policies and educating employees about social engineering attacks are important steps to protect against malicious actors. Organizations should invest in cloud security best practices, implement login risk policies, move to anti-phishing MFA, and adopt the principle of least access.

By implementing these measures, organizations can increase their resilience to cybercriminal attacks like Storm-0539, while maintaining trusted gift card, payment card, and other card options to provide attractive and flexible benefits to customers. To learn more about the latest threat insights, visit Microsoft Security Insider.

Hoang Phuong