July 17, 2024

# Inside the Growing Threat of Gift Card Fraud with Cyber Signals

In the continuous game of cat-and-mouse between cyber-security officials and malicious actors, gift card fraud emerges as a field of increasing concern. Microsoft Threat Intelligence warns that gift cards sighting their anonymity and unassociated bank accounts, are becoming popular targets for fraud and social engineering practices.

A noticeable surge in activities of the hacker group, Storm-0539 (or Atlas Lion), around US holidays like Memorial Day, Labor Day, Black Friday, Thanksgiving, and Christmas alarms us. Particularly, Microsoft reports a 30% rise in this group’s activity from March to May 2024 before Memorial Day.

In the recent edition of [Cyber Signals](https://news.microsoft.com/wp-content/uploads/prod/sites/626/2024/05/Cyber_Signals_Issue_7_May_2024-2.pdf), we take an in-depth look into Storm-0539’s intricate fraudulent tactics, their persistence, and provide suggestions to retailers on combating such threats.

## The Evolution of Storm-0539 (Atlas Lion)

Storm-0539 group’s activities were detected since late 2021. Initially, they specialized in malware attacks on Point-of-Sale (POS) devices to compromise payment card data. However, they have now expanded their operation to target cloud services and identity services for large retailers, luxury brands, and fast food chains.

## Storm-0539’s Sophisticated Techniques

Storm-0539 outsmart others with their profound knowledge of cloud environments. They conduct reconnaissance on the gift card issuance processes and employee permissions. By compromising cloud systems, they gain substantial control over identities and access privileges. They cleverly persist such access to create gift cards, not exclusively for consumers. Once they secure initial access they bypass any subsequent authentication prompts by registering their malicious devices on victim networks.

## A Disguise of Legitimacy

Storm-0539 smartly disguises themselves as legitimate non-profits to obtain resources from cloud providers. They create believable websites with “typosquatting” domain names slightly different from authentic websites. This way they deceive unsuspecting victims.

## How to Prepare for the Storm

Companies issuing gift cards should rigorously monitor and audit the gift card portals as high-value targets. It’s essential to establish conditional access policies and to train the security teams on social engineering tactics. With Storm-0539’s intimate understanding of cloud environments, investing in cloud security, setting up sign-in risk policies, moving to phishing-resistant multifactor authentication, and employing the least privilege access would be beneficial.

These steps help increase the resilience of organizations against cybercriminals like Storm-0539 and maintain gift, payment, and other card options attractive for customers. For recent updates on threat intelligence, visit Microsoft Security Insider. For more about Microsoft Security solutions, do visit our website. Stay updated by bookmarking the Security blog and follow us on LinkedIn ([Microsoft Security](https://www.linkedin.com/showcase/microsoft-security/)) and X (@MSFTSecurity) for latest news and updates on cybersecurity.

## Frequently Asked Questions
### What is gift card fraud?
Gift card fraud is a type of financial fraud where cybercriminals steal the balance on gift cards or manipulate these cards to gather financial details about consumers. The fraudsters usually gain access to gift cards by hacking into an individual’s account or by physically tampering with the cards in the stores.

### Who is Storm-0539 (Atlas Lion)?
Storm-0539, also known as Atlas Lion, is a cybercrime group active since late 2021. They initially focused on malware attacks on point-of-sale (POS) devices but has now shifted their focus on targeting cloud and identity services. They are notably active around major US holidays and have been tied with a significant amount of gift card fraud.

### How can organizations protect against gift card fraud?
Organizations can reduce the risk of gift card fraud by considering the gift card portals as high-value targets for cybercriminals. Implementing stringent security measures, continuous monitoring, and auditing for anomalous activities can help. Other effective strategies include strengthening access control policies, adopting phishing-resistant multifactor authentication, and investing in cloud security best practices.