Storm-0539, aka Atlas Lion, employs phishing tactics to steal personal information from companies and individuals, which is then used to illicitly purchase gift cards and sell them at a discount on the open market.
“Gift cards are attractive targets for fraud because unlike credit or debit cards, there are no customer names or bank accounts attached to them,” Microsoft said in its report. The information technology giant noted cases where the Moroccan cyber group has stolen up to $100,000 a day from unnamed companies.
Once a Storm-0539 attacker steals a person’s data, they will set up multi-factor authentication (MFA) on a device they control, thus allowing them to wholly compromise their victim’s digital identity.
Sources from which the ring mines for digital gold include company directories, contact lists, and email accounts; mobile phones are exploited via smishing attacks to give them another avenue through which to infiltrate large companies with deep pockets.
“Once an employee account at a targeted organization is infiltrated, the attackers move laterally through the network, trying to identify the gift card business process,” Microsoft said.
“After gaining access, the group creates new gift cards using compromised employee accounts; they then redeem the value associated with those cards, sell the gift cards to other threat actors on black markets, or use money mules to cash out the gift cards,” it explained.
The majority of the cyber ring’s attacks reportedly come around the major holiday seasons. Microsoft documented a 30% increase in Storm-0539 intrusion activity between March and May 2024, as well as a 60% spike between September and December 2023.
It’s not just their victims who have been compromised; Storm-0539 attackers are also capable of exploiting the gift card portals of large retailers, luxury brands, and restaurants for large scale purchases without raising any red flags.
Another way by which they lure victims to surrendering their digital information is by meticulously impersonating online charities, animal shelters, and nonprofits. Any traffic that comes through their sites believe them to be legitimate and victims will thus willingly enter their personal or professional credentials.
Storm-0539 has become so infamous that the FBI published a notice on the Moroccan hackers’s activities earlier this month.
The U.S. federal law enforcement agency also warned that the cyber group has been known to sell their victims’ data on the black market.
Listed amongst Microsoft’s security recommendations for companies was the adoption of a secure gift card platform with stringent password changing requirements and MFA safeguards, as well as implementing IP address location checks for all devices attempting to register one.