The FBI has been busy of late with security warnings regarding email hackers and road toll scammers. The warnings are still coming though, with the latest revealing how one hacking group called STORM-0539 is targeting retail gift card operations.
The FBI’s Private Industry Notification 20240506-001
The FBI’s latest private industry notification, was published on 6 May to highlight how one financially motivated threat group is targeting employees at U.S. retail and corporate offices with a fraudulent gift card endgame.
Starting in January 2024, the FBI said it had noted an uptick in the activity of a cybercrime group that has been tagged as STORM-0539, although sometimes referred to as Atlas Lion when it comes to phishing and text message campaigns aimed at the retail sector. Specifically, “to target employees and gain unauthorized access to employee accounts and corporate systems” in the gift card departments located in corporate offices of national retail groups.
Who Is STORM-0539?
According to Microsoft, STORM-0539 is a group of cybercriminals that specialize in attacking retail organizations using “highly sophisticated email and SMS phishing” during holiday periods for the purpose of perpetrating gift card fraud. Active since late 2021, STORM-0539 has carried out “extensive reconnaissance of targeted organizations in order to craft convincing phishing lures and steal user credentials and tokens for initial access,” Microsoft said. Furthermore, according to Microsoft, STORM-0539 is capable of leveraging resources from those retailers’ cloud services in order to progress with post-compromise activity.
The FBI warning comes as the law enforcement agency has noted how the cybercrime group is using so-called smishing campaigns, phishing using SMS messages, to gain unauthorized access to employee accounts and corporate systems. “Once they gained access,” the FBI said, “STORM-0539 actors used phishing campaigns to target other employees to elevate network access and target the gift card department in order to create fraudulent gift cards.”
STORM-0539 Attack Techniques, Tactics And Procedures
The FBI has recommended that organizations review and update their incident response plans, taking note of the TTPs used by the STORM-0539 threat actors. Organizations should also “establish and maintain strong liaison relationships” with the regional FBI Field Office closest to them. Some of the TTPs noted by the FBI include:
- Targeting myriad employees’ personal and work mobile phones.
- Using a sophisticated phishing kit that can bypass two-factor authentication.
- Using compromised accounts for reconnaissance purposes to identify the gift card business process, after which the group pivots to the employee accounts covering that area.
- Creating gift cards using those compromised employee accounts. In one case where the group was detected and changes instituted to prevent access to gift card creation, STORM-0539 was found to have pivoted to hunting down unredeemed cards and changing email addresses to those under group control.
- Downloading employee data including names, usernames and phone numbers.
Mitigation Matters
In order to mitigate the risk of attack, organizations should follow basic security best practices and provide training on how these social engineering attacks work and ensure that employees have a mechanism for reporting anything suspicious. Even though STORM-0539 has some success in bypassing 2FA, there should still be a requirement for multi-factor authentication to safeguard as many accounts as possible, preferably using ‘phishing-resistant’ options such as biometric passkeys and physical security keys. Needless to say, but I will anyway, the principle of least privilege should be employed throughout the organization’s network. “Account privileges should be clearly defined and regularly reviewed and adjusted as necessary,” the FBI concluded.
