Microsoft warns of major gift card fraud scheme sweeping through victims

Gift cards offer a convenient way to indulge in hobbies or interests without the hassle of selecting the perfect gift. They provide flexibility for recipients to make purchases online or in-store using a unique code that tracks the card’s monetary value. However, threat actors are exploiting the inherent ambiguity of gift cards to perpetrate fraud and steal money from corporations, leaving behind minimal traces.

One prominent threat actor group, known as Storm-0539, stands out for its sophisticated tactics in exploiting cloud environments to gain unauthorized access to gift card portals. Employing a blend of social engineering and fake text messages (smishing), Storm-0539 tricks victims into granting access to their organizations. Once inside, the group circumvents multi-factor authentication by registering their own devices with the victim’s authentication services, ensuring persistent access.

Storm-0539 meticulously navigates through the compromised environment, extracting valuable information from platforms like Salesforce, Citrix, OneDrive, and SharePoint while hunting for access to gift card portals. Using compromised employee accounts, they generate new gift cards, which are then either sold on the dark web or redeemed for personal gain.

To evade detection, Storm-0539 employs typosquatting—a tactic where they create fake domains closely resembling authentic websites, thereby blending in seamlessly.

Recognizing gift card portals as prime targets for threat actors, Microsoft has issued security recommendations to mitigate risks:

1. Bind multi-factor authentication (MFA) tokens to employee devices to thwart token replay attacks.
2. Implement least privilege access principles across the business environment to limit the impact of potential breaches.
3. Utilize trusted gift card systems equipped with fraud prevention mechanisms and legitimate payment authentication.
4. Deploy phishing-resistant MFA solutions to fortify authentication processes.
5. Enforce secure password changes, especially for high-risk users, utilizing solutions like Microsoft Entra MFA.
6. Provide comprehensive training and education to employees to enhance their ability to identify fraudulent gift card activities and schemes.