Microsoft has published a new “Cyber Signals” report highlighting an alarming increase in cyber activity by the hacking group Storm-0539, also known as “Ant Lion,” with a notable rise in gift card theft.
Earlier this month, the FBI issued a warning about Storm-0539 and its advanced techniques in conducting gift card theft and fraud. The agency noted that the group's tactics are comparable to those used by state-sponsored hackers and sophisticated cyberespionage actors.
Storm-0539 primarily targets major US retailers by focusing on key employees or offices responsible for payment and gift card operations. By successfully phishing these employees, the attackers gain access to navigate complex cloud environments and company-specific procedures, enabling them to maximize fraudulent gift card issuance.
Storm-0539 employs sophisticated methods to disguise its operations. The group has been observed creating domains that mimic legitimate nonprofit organizations, such as animal shelters and charities in the US and Europe. The hackers have even obtained copies of IRS correspondence designating these groups as legitimate nonprofits. Using these credentials, they secure discounted or free cloud services to host the infrastructure needed for their cyber operations.
The typical attack chain involves several steps:
-
Smishing Attacks: Using employee directories and schedules, Storm-0539 sends smishing texts to employees' personal and work mobile phones.
-
Network Infiltration: Once an employee account is compromised, the attackers move laterally through the network, identifying the gift card business process and targeting accounts linked to this portfolio.
-
Reconnaissance: They gather information on virtual machines, VPN connections, SharePoint, OneDrive resources, and remote environments like Salesforce and Citrix.
-
Gift Card Issuance: With access gained, the group creates new gift cards using compromised employee accounts.
-
Monetization: The fraudulently issued gift cards are then redeemed, sold on black markets, or cashed out using money mules.
Microsoft reported a 30% increase in Storm-0539 intrusion activity between March and May 2024, with the attackers using their extensive cloud expertise to “conduct reconnaissance on an organization's gift card issuance processes.”