Microsoft Identifies Rise in Gift Card Theft by Hacking Group Storm-0539 Ahead of Memorial Day

### Microsoft Reports Surge in Gift Card Theft by Hacking Group Storm-0539
Microsoft has released a “Cyber Signals” report detailing an increase in activities by the hacking group Storm-0539, also known as “Ant Lion,” particularly in the theft of gift cards as the Memorial Day holiday approaches in the United States. The FBI had earlier highlighted the group’s sophisticated techniques in gift card and fraud activities, likening them to those of state-sponsored hackers.
The report indicates a 60% surge in Storm-0539 activities during the previous year’s winter holiday season and a 30% increase from March to May 2024. Unlike typical hacking groups, Storm-0539 targets organizations issuing gift cards and exploits cloud service providers for low-cost operations.
### Inside Storm-0539’s Operations
Originating from Morocco in 2021, Storm-0539 focuses on gift card and payment card fraud. They employ detailed reconnaissance and craft phishing emails and SMS messages targeting employees of gift card issuing companies. After gaining access, they manipulate multi-factor authentication platforms, compromise various corporate environments, and eventually create new gift cards to sell or redeem on the dark web.
Microsoft’s report reveals that these threat actors can steal up to $100,000 a day from companies by issuing gift cards just below the maximum limit allowed, then selling them online at discounted rates.
### The Cybercriminal Infrastructure
Storm-0539 has been found to create fake non-profit organization websites to abuse cloud service providers’ “pay as you go” or “free trial” tiers. This approach enables them to conduct large-scale operations at minimal costs, showcasing a level of sophistication and use of cloud environments akin to state-sponsored threat actors.
### Microsoft’s Defense Recommendations
To counteract the threat posed by Storm-0539, Microsoft recommends several defense strategies for gift card issuing portal operators. These include monitoring for anomalies, implementing conditional access policies to prevent the mass generation of gift cards by compromised accounts, enforcing least privilege access, and using FIDO2 security keys for high-risk accounts. Merchants are also urged to help disrupt these criminal activities by identifying and rejecting suspicious orders.
While these attacks are primarily aimed at organizations rather than individual holiday shoppers, Microsoft advises everyone to stay vigilant against scams, fake shops, and malicious advertising as the Memorial Day holiday approaches.