Microsoft has published a “Cyber Signals” report sharing new information about the hacking group Storm-0539 and a sharp rise in gift card theft as we approach the Memorial Day holiday in the United States.

The FBI previously warned about Storm-0539’s (aka “Ant Lion”) activities earlier this month, highlighting the threat group’s advanced techniques in conducting gift card theft and fraud, stating that their tactics resemble state-sponsored hackers and sophisticated cyberespionage actors.

Microsoft warns that the threat actors increase their activity before a major holiday, seeing a 60% increase in Storm-0539 activity during last year’s winter holidays (Christmas) and a notable 30% rise between March and May 2024.

In the newly released Cyber Signals report, Microsoft corroborates that the threat actors target organizations that issue gift cards rather than end users, while also revealing large-scale abuse of cloud service providers for low-cost operations.

Storm-0539 profile and modus operandi

Storm-0539 is a Moroccan financially motivated threat group active since 2021, primarily focusing on gift card and payment card fraud.

The threat actors are notorious for their reconnaissance efforts and custom-crafted email and SMS phishing messages, which target employees of targeted organizations, typically gift card issuers.

Once they gain access to the target environment using stolen accounts, they register their own devices with the company’s multi-factor authentication (MFA) platforms for persistence and then move laterally by compromising virtual machines, VPNs, SharePoint, OneDrive, Salesforce, and Citrix environments.

Eventually, Storm-0539 gets access to credentials that allow them to create new gift cards to redeem on dark web markets, in stores, or by cashing them out using money mules. 

“Typically, organizations set a limit on the cash value that can be issued to an individual gift card. For example, if that limit is $100,000, the threat actor will issue a card for $99,000 then send themselves the gift card code and monetize them,” explains Microsoft’s Cyber Signals report.

“Their primary motivation is to steal gift cards and profit by selling them online at a discounted rate.”

“We’ve seen some examples where the threat actor has stolen up to $100,000 a day at certain companies.”

To create new infrastructure for their attacks, the threat actors create websites impersonating non-profit organizations, which are used to sign up with cloud service providers. These accounts join “pay as you go” or “free trial” tiers, which they abuse in large-scale operations for little to no cost.

“Storm-0539’s reconnaissance and ability to leverage cloud environments are similar to what Microsoft observes from state-sponsored threat actors, showing how techniques popularized by espionage and geopolitical-focused adversaries are now influencing financially motivated criminals,” explains Microsoft.

Defense recommendations

Microsoft suggests that gift card issuing portal operators constantly monitor for anomalies and implement conditional access policies that would prevent a single, potentially hijacked account from generating an unusually large number of cards.

Additionally, organizations are advised to implement token replay protection measures, enforce least privilege access, and use FIDO2 security keys to protect high-risk accounts.

Merchants can also play a crucial role in disrupting the profit chain for Storm-0539 and similar threat actors by recognizing and rejecting orders that carry suspicious signs.

Although these attacks do not impact holiday shoppers, internet users preparing for Memorial Day should maintain elevated caution against scams, fake shops, and malvertising.