Morocco as an emerging cybercrime originator

Although cybercrime operations are a global phenomenon, most financially motivated cybercriminals operate from a well-understood list of countries, including China, Russia, Ukraine, the US, Romania, and Nigeria. But at this year’s Sleuthcon, a new nation emerged that threatens to break into the ranks of top cybercrime havens: Morocco.

Microsoft researchers recently uncovered a new, quiet, and productive group it calls Storm-0539, also known as Atlas Lion, operating out of Morocco. The group engages in payment and gift card fraud. But instead of relying on malware or malicious tooling, as might be found in ordinary point-of-sale credit card fraud, Storm-0539 represents an evolution in cybercrime because it exploits cloud identities to target retailers to print their own gift cards, often in hefty amounts.

Using employee directories and schedules, contact lists, and email inboxes, Storm-0539 targets retail employees via smishing or phishing to gain access to the gift card business process, print their own gift cards and then redeem the cards, sell them on black market websites or use mules to cash out the cards.