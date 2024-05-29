A Morocco-based cybercriminal operation is targeting systems of large retailers to fraudulently issue gift cards to themselves, reported Microsoft. This group named Atlas Lion or Storm-0539 has been in the spotlight for the past year for such frauds. According to Microsoft, this group is targeting cloud and identity services and steadily attacking the payment and card systems associated with large retailers, luxury brands, and well-known fast food restaurants.

Notably, these threat actors previously specialised in malware attacks on point-of-sale (POS) devices like retail cash registers and kiosks to compromise payment card data. The company states that their way of compromising cloud systems for far-reaching identity and access privileges resembles the “tradecraft and sophistication typically seen in nation-state-sponsored threat actors, except instead of gathering email or documents for espionage, Storm-0539 gains and uses persistent access to hijack accounts and create gift cards for malicious purposes and does not target consumers exclusively”.

Once the cybercriminals get access to an initial session and token, they register their own malicious devices to victim networks for subsequent secondary authentication prompts. With this, they bypass multifactor authentication protections and persist in an environment using the now-compromised identity.

Microsoft explained, “To remain undetected, Storm-0539 adopts the guise of legitimate organisations, obtaining resources from cloud providers under the pretence of being non-profits. It creates convincing websites, often with misleading ‘typosquatting’ domain names a few characters different from authentic websites, to lure unsuspecting victims, further demonstrating its cunning and resourcefulness.”

Microsoft advises that companies need to treat their gift card portals as high-value targets for cybercriminals. They need to keep these sites in check, keep monitoring them and conduct regular audits. They should also implement conditional access policies and educate their security teams and engineers about such frauds. In addition to this, they should invest in cloud security best practices.

