Cyber Signals: Inside the growing risk of gift card fraud


In the ever-evolving landscape of cyberthreats, staying ahead of malicious actors is a constant challenge.

Microsoft Threat Intelligence has observed that gift cards are attractive targets for fraud and social engineering practices. Unlike credit or debit cards, there’s no customer name or bank account attached to them, which can lessen scrutiny of their potentially suspicious use in some cases and present cybercriminals with a different type of payment card surface to study and exploit.

Microsoft has seen an uptick in activity from threat actor group Storm-0539, also known as Atlas Lion, around the United States holidays, including Memorial Day, Labor Day, Thanksgiving, Black Friday, and Christmas. In advance of Memorial Day 2024, Microsoft has observed a 30% increase in activity from Storm-0539 between March and May 2024.

The latest edition of Cyber Signals dives deep into the world of gift card fraud, shedding light on Storm-0539 and its sophisticated cybercrime techniques and persistence, while providing guidance to retailers on how to stay ahead of these risks.

Shop clerk in a clothing boutique taking a credit card payment on a digital tablet.

Cyber Signals

The latest report describes how organizations can protect gift cards from Storm-0539’s cybercrime techniques.

The evolution of Storm-0539 (Atlas Lion)

Active since late 2021, this cybercrime group represents an evolution of threat actors who previously specialized in malware attacks on point-of-sale (POS) devices like retail cash registers and kiosks to compromise payment card data, and today they are adapting to target cloud and identity services in steadily attacking the payment and card systems associated with large retailers, luxury brands, and well-known fast food restaurants.

Sophisticated strategies

What sets Storm-0539 apart is its deep understanding of cloud environments, which it exploits to conduct reconnaissance on organizations’ gift card issuance processes and employee access. Its approach to compromising cloud systems for far-reaching identity and access privileges mirrors the tradecraft and sophistication typically seen in nation-state-sponsored threat actors, except instead of gathering email or documents for espionage, Storm-0539 gains and uses persistent access to hijack accounts and create gift cards for malicious purposes and does not target consumers exclusively. After gaining access to an initial session and token, Storm-0539 will register its own malicious devices to victim networks for subsequent secondary authentication prompts, effectively bypassing multifactor authentication protections and persisting in an environment using the now fully compromised identity.

A cloak of legitimacy

To remain undetected, Storm-0539 adopts the guise of legitimate organizations, obtaining resources from cloud providers under the pretense of being non-profits. It creates convincing websites, often with misleading “typosquatting” domain names a few characters different from authentic websites, to lure unsuspecting victims, further demonstrating its cunning and resourcefulness.

Defending against the storm

Organizations that issue gift cards should treat their gift card portals as high-value targets for cybercriminals and should focus on continuous monitoring, and audit for anomalous activities. Implementing conditional access policies and educating security teams on social engineering tactics are crucial steps in fortifying defenses against such sophisticated actors. Given Storm-0539’s sophistication and deep knowledge of cloud environments, it is recommended that you also invest in cloud security best practices, implement sign-in risk policies, transition to phishing-resistant multifactor authentication, and apply the least privilege access principle.

By adopting these measures, organizations can enhance their resilience against focused cybercriminals like Storm-0539, while keeping trusted gift, payment, and other card options as attractive and flexible amenities for customers. To learn more about the latest threat intelligence insights, visit Microsoft Security Insider.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.



Leave a Reply

Your email address will not be published. Required fields are marked *