Microsoft: Gift Card Fraud Rising, Costing Businesses up to $100,000 a Day

With US holidays like Memorial Day upcoming, Microsoft is warning up an uptick in activity from Storm-0539, a cybercriminal group operating out of Morocco that is known for targeting gift card portals linked to large retailers, luxury brands, and well-known fast-food restaurants. According to Microsoft, Storm-0539 conducts deep reconnaissance and sophisticated cloud-based techniques to target gift card creators. Notably, Storm-0539 initiates its reconnaissance by sending smishing texts to personal and work mobile phones belonging to employees at targeted organizations. After gaining access to one of these employees’ accounts, the group will move laterally across the organizational network and identify the gift card business process, further pivoting to employees covering that department. This access is then used to create fraudulent gift cards, with Microsoft seeing cases of the actor stealing up to $100,000 per day from targeted entities.

Security Officer Comments:
Storm-0539 heavily relies on cloud-based infrastructure to conduct its operations and stay under the radar. According to Microsoft, this group has been observed presenting itself as a legitimate organization to cloud providers to gain temporary applications, storage, and other initial free resources that can be used to carry out its attacks. In some cases, Storm-0539 has downloaded legitimate copies of f 501(c)(3) letters issued by the Internal Revenue Service (IRS) from non-profit organizations’ public websites to receive sponsors or discounts from major cloud providers. This group has also been observed creating free trials or student accounts on cloud service platforms, typically providing 30 days of access. These tactics enable the group to avoid up-front hosting costs while making attribution more challenging.

Suggested Corrections:
Microsoft set out a series of recommendations for organizations that offer gift cards to defend against these sophisticated tactics. These include:

  • Continuously monitor logs to identify suspicious logins and other common initial access vectors that rely on cloud identity compromises
  • Implement conditional access policies that limit sign-ons and flag risky sign-ins
  • Consider complementing MFA with conditional access policies where authentication requests are evaluated using additional identity-driven signals, such as IP address location
  • Reset passwords for users associated with phishing and AiTM activity, which will revoke any active sessions
  • Update identities, access privileges, and distribution lists to minimize attack surfaces
  • Use policies to protect against token replay attacks by binding the token to the legitimate user’s device
  • Consider switching to a gift card platform designed to authenticate payments
  • Transition to phishing-resistant credentials, such as FIDO2 security keys
  • Train employees to recognize potential gift card scams and decline suspicious orders