Microsoft has issued an alert after the final update of 2023 about an increase in malicious activity related to an emerging threat group known as Storm-0539. This group is involved in arranging fake gift card and theft activities via advanced email and SMS phishing attacks against retail businesses, notably during the festive holiday shopping season.
The scammers use adversary-in-the-middle (AiTM) techniques to send users to phishing pages using fake hyperlinks. The capture of session tokens and other private data, such as user credentials, is made easier with this technique.
Storm-0539 not only harvests email information but also network configurations and contact information. Attackers use this information to launch new attacks on previously targeted retail businesses.
According to Microsoft Threat Intelligence:
After gaining access to an initial session and token, Storm-0539 registers their own device for subsequent secondary authentication prompts, bypassing MFA protections and persisting in the environment using the fully compromised identity.
This approach creates a first foothold that may be used to escalate privileges, move widely across the network, and access cloud services. The primary goal is to obtain sensitive information, with an emphasis on utilising gift card-related services to commit fraud.
Microsoft’s Legal Action Against Storm-1152
Last month, Microsoft published its most recent 365 Defender report, which described the adversary as a financially driven organisation with activities going back to at least 2021.
The report explained:
Storm-0539 carries out extensive reconnaissance of targeted organisations in order to craft convincing phishing lures and steal user credentials and tokens for initial access. The actor is well-versed in cloud providers and leverages resources from the target organisation’s cloud services for post-compromise activities.
The claim arises after Microsoft effectively dropped a Vietnamese cybercriminal group by court order. The group oversaw selling fake Microsoft accounts as well as tools for bypassing authentication on numerous tech sites.
The Arkose Cyber Threat Intelligence Research unit’s researchers worked with Microsoft, according to Hogan-Burney, Associate General Counsel.
In the eve of Christmas season warnings, Microsoft reported this week that it had successfully got a court order to take down a cybercriminal group’s US-based infrastructure. The group ran numerous websites, providing access to around 750 million fake Microsoft accounts, making millions of illegal money.
Microsoft Associate General Counsel Hogan-Burney disclosed that the company worked with researchers from the Arkose Cyber Threat Intelligence Research unit. In the difficult collaborative activities, teamwork generated insights that helped in the identification of three Vietnamese nationals as attackers.
Microsoft highlighted that fake accounts are the vitality of hackers and fraudsters, allowing them to continue their automated activities. Companies are growing more efficient in identifying and terminating these kinds of accounts, which forces hackers to create more and more of them to fuel their criminal activities.
Microsoft has released a warning about the growing number of threat actors abusing OAuth apps. Cybercriminals are automating financially driven vulnerabilities and engaging in phishing and business email compromise (BEC). They are also orchestrating massive spamming operations and using virtual machines for bitcoin mining without authorisation.
Storm-1283 used a compromised account to create an OAuth application, which allowed the use of cryptocurrency mining software. Misuse of OAuth allows hackers to get access to apps even if the initial compromised account is no longer active.
The United States and other regions have reported incidents of “card draining” scams this year. Malicious actors use such techniques to get sensitive data, including PINs for unpurchased gift cards and card details.
As reported by USA Today, be careful of scammers who may secretly take gift cards off store shelves and replace them with fake goods. These scammers take the gift cards’ information, tamper with them, and then carefully put the compromised cards back on the racks. Unaware of the potential risks, vulnerable customers can acquire these compromised cards.
Phishing attacks are on the rise, and it is important to protect your organisation. One effective way to do this is by increasing user awareness about these types of attacks. Phishing Tackle is a great resource that can help you in this regard. They offer a free 14-day trial to help train your users to recognise and avoid phishing attacks.
