Microsoft warns of major gift card fraud scheme sweeping through victims

Phishing phone call scams vishing - concept. Cellphone with fishing hook, credit cards, gift cards
(Image credit: Shutterstock / MargJohnsonVA)

Gift cards are a good way to fund a hobby or interest without having to spend hours agonizing over the perfect present, as they can be used in store or online using a unique code used to track the amount of money on the card.

Unfortunately, threat actors are taking advantage of the ambiguity of gift cards as an easy way to steal money from corporations without leaving a paper trail.

Chief among these threat actors is the group tracked as Storm-0539, which Microsoft has identified as a unique group who utilize an advanced knowledge of cloud environments to break into gift card portals, generate new gift cards for themselves, and then sell them on the dark web or redeem the value for their own use.

Phishing for clouds

Storm-0539 typically infiltrates cloud environments through complex smishing campaigns, which combines social engineering with fake text messages that trick the victims into providing access to their organizations. The group then registers their own devices with the victims authentication services to bypass multi-factor authentication, providing the threat actor with persistent access to the targeted environment.

The group then uses the compromised account to navigate through the targeted environment, hunting for access to the gift card portal while also gathering important information from Salesforce, Citrix, OneDrive and Sharepoint. Storm-0539 then uses the compromised employee accounts to generate new gift cards.

In order to avoid detection by the organizations they are targeting, the group uses a tactic known as typosquatting - where the group ‘squats’ on a domain that appears to be an authentic website, but the address actually contains a number of switched characters to blend in.

Microsoft says that gift card portals should be treated as a high priority target for threat actors, and has issued a number of security recommendations to protect against the tactics used by Storm-0539:

  • Bind MFA tokens to employee devices to prevent token replay attacks.
  • Use least privilege access principles throughout the business environment to minimize the effects of an attack.
  • Use a trusted gift card system that uses fraud prevention techniques and authenticates payments legitimately.
  • Use phishing resistant MFA solutions.
  • Implement secure password changes for high risk users, such as Microsoft Entra MFA.
  • Provide training and education to employees to help them spot fraudulent gift cards.

More from TechRadar Pro

Benedict Collins
Staff Writer (Security)

Benedict has been writing about security issues for close to 5 years, at first covering geopolitics and international relations while at the University of Buckingham, where he read Politics with Journalism at undergraduate level before continuing his studies at a postgraduate level in Security, Intelligence and Diplomacy. Benedict made the jump to cybersecurity upon joining TechRadar Pro as a Staff Writer, focussing on state-sponsored threat actors, malware, social engineering, and national security.