Phishing Feast: Storm-0539 Targets Retailers for Holiday Haul

Microsoft has issued a warning about the escalating activities of the cybercriminal group Storm-0539, which specializes in gift card fraud. This group orchestrates sophisticated phishing attacks through email and SMS, targeting retail networks during holiday sale periods.

Malicious links redirect victims to phishing pages equipped with mechanisms for intercepting login credentials and session tokens. Microsoft researchers have shared their observations on platform X (formerly known as Twitter).

Microsoft has observed a significant surge in activity associated with the threat actor Storm-0539, known to target retail organizations for gift card fraud and theft using highly sophisticated email and SMS phishing during the holiday shopping season.

— Microsoft Threat Intelligence (@MsftSecIntel) December 14, 2023

Once they gain access to a system, the hackers add their devices to the list approved for two-factor authentication. This enables them to circumvent multifactor security measures and maintain unauthorized access using stolen credentials.

The perpetrators employ this method to elevate their privileges within the network and gain access to cloud resources. Their primary objective is the theft of information related to gift cards for fraudulent use, including fund withdrawal and exploitation of accumulated customer bonuses.

Storm-0539 continually gathers emails, contact lists, and network configuration details for subsequent attacks on the same companies. Microsoft underscores the importance of adhering to account security principles.

In their latest monthly report, Microsoft 365 Defender experts describe Storm-0539 as a financially motivated group active since 2021. The criminals conduct thorough reconnaissance before attacks, crafting highly convincing traps.

It is noteworthy that Microsoft recently obtained a court order to seize 750 million fake accounts of the Vietnamese cybercriminal group Storm-1152. This group was selling access to counterfeit Microsoft accounts and tools for circumventing identification systems on other platforms.

Experts warn that hackers are increasingly exploiting OAuth applications. Such services enable the automation of financially motivated campaigns, including corporate email fraud, phishing, spam distribution, and illegal cryptocurrency mining.