Rising threat of gift card cyber fraud: Don't let cybercriminals steal your holiday cheer!

Online shopping feels as effortless as wrapping a present. Click, confirm, and voila - the perfect gift arrives at your loved one's door. But beneath this veneer of convenience, a silent threat lurks - a cunning breed of cybercriminals setting their sights on gift cards.

Microsoft Threat Intelligence has uncovered a worrying trend: a spike in gift card scams, particularly around major holidays like Memorial Day, Black Day, Christmas and Thanksgiving, among others.

The latest edition of Cyber Signals - a quarterly cyberthreat intelligence brief by Microsoft - dives deep into the world of gift card fraud, sheds light on a sophisticated cybercrime group known as Storm-0539 (also known as Atlas Lion) and its persistent attempts to exploit gift cards. The report also describes how organisations and consumers can defend against such attacks.

Why gift cards?

Unlike credit or debit cards, gift cards lack the security blanket of a customer name or bank account attached. This anonymity makes them a more lucrative target for threat actors. With traditional payment methods, a red flag might be raised if suspicious activity is detected on a linked account. Gift cards, however, offer a layer of anonymity that cybercriminals can easily exploit.

Storm-0539

Microsoft has identified a particularly troublesome threat actor group called Storm-0539, also known as Atlas Lion. Active since late 2021, this cybercrime group operates out of Morocco and has a history of financial crimes, with gift card fraud becoming their latest focus.

What makes Storm-0539 so dangerous is its ability to evolve tactics. Initially, they targeted point-of-sale (POS) systems used in retail stores to steal payment card data. However, they have now shifted gears, focusing on infiltrating cloud and identity services used by large retailers, luxury brands, and even popular fast-food chains.

What sets this group apart from other cybercriminals is their deep understanding of cloud environments. They use this knowledge to meticulously scout out organizations' gift card issuance processes and employee access points. Their methods mirror those of nation-state attackers, but instead of stealing emails or documents, they gain persistent access to create fraudulent gift cards for their own gain.

Once Storm-0539 gains access to a system, they start exploiting multifactor authentication (MFA), a security measure designed to add an extra layer of protection, by registering malicious devices on victim networks. The group essentially bypass MFA and maintains a persistent presence within the system, allowing them to continue their fraudulent activities undetected.

Storm-0539 employs a multi-pronged approach to avoid detection. They pose as legitimate organizations, tricking cloud providers into granting them access to resources. Additionally, they create fake websites with domain names that closely resemble real ones – a tactic known as typosquatting. By luring unsuspecting victims to these fake websites, they can steal personal information or redirect them to purchase fraudulent gift cards.

A spike in activity around holidays

The data shared by Microsoft paints a concerning picture. Between March and May 2024, in the lead-up to the summer holiday season, Microsoft observed a 30% increase in intrusion activity from Storm-0539. Similarly, a worrying 60% increase in attack activity was observed between September and December 2023, coinciding with the fall and winter holidays. This trend suggests a targeted approach by the group, exploiting the surge in gift card purchases during these peak shopping seasons.

Defending against the storm

The rise in gift card fraud is indicative of broader trends in cybercrime. As digital transactions become more prevalent, cybercriminals are continuously adapting their tactics to exploit new opportunities. The anonymity and ease of use that make gift cards appealing to consumers also make them an attractive target for fraudsters.

Investing in advanced threat detection and response capabilities, coupled with robust employee training programs, can help mitigate the risk of falling victim to sophisticated cyberattacks.

Microsoft Threat Intelligence has shared the following recommendations to defend against this fraud:

Retailers

• Treat Gift Card Systems as High-Value Targets: Implement continuous monitoring and auditing for suspicious activity.
• Educate security teams: Ensure employees are aware of social engineering tactics and how to recognize them.
• Conditional Access Policies: Implement policies that limit access based on risk factors.
• Invest in cloud security best practices
• Phishing-Resistant MFA: Utilize multifactor authentication methods that are less susceptible to phishing.

For consumers, awareness is key. When purchasing gift cards online, ensure the website is legitimate. Double-check the URL for typos before entering any personal information (typos in URLs can indicate a fraudulent site).