Microsoft warns of major gift card fraud scheme sweeping through victims

Make sure those gift card links are safe, Microsoft warns

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

Gift cards are a good way to fund a hobby or interest without having to spend hours agonizing over the perfect present, as they can be used in store or online using a unique code used to track the amount of money on the card.

Unfortunately, threat actors are taking advantage of the ambiguity of gift cards as an easy way to steal money from corporations without leaving a paper trail.

Chief among these threat actors is the group tracked as Storm-0539, whichMicrosofthas identified as a unique group who utilize an advanced knowledge of cloud environments to break into gift card portals, generate new gift cards for themselves, and then sell them on the dark web or redeem the value for their own use.

Phishing for clouds

Storm-0539 typically infiltrates cloud environments through complex smishing campaigns, which combines social engineering with fake text messages that trick the victims into providing access to their organizations. The group then registers their own devices with the victimsauthentication servicesto bypass multi-factor authentication, providing the threat actor with persistent access to the targeted environment.

The group then uses the compromised account to navigate through the targeted environment, hunting for access to the gift card portal while also gathering important information fromSalesforce, Citrix, OneDrive and Sharepoint. Storm-0539 then uses the compromised employee accounts to generate new gift cards.

In order to avoid detection by the organizations they are targeting, the group uses a tactic known as typosquatting - where the group ‘squats’ on a domain that appears to be an authentic website, but the address actually contains a number of switched characters to blend in.

Microsoftsays that gift card portals should be treated as a high priority target for threat actors, and has issued a number of security recommendations to protect against the tactics used by Storm-0539:

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

More from TechRadar Pro

Benedict has been writing about security issues for over 7 years, first focusing on geopolitics and international relations while at the University of Buckingham. During this time he studied BA Politics with Journalism, for which he received a second-class honours (upper division),  then continuing his studies at a postgraduate level, achieving a distinction in MA Security, Intelligence and Diplomacy. Upon joining TechRadar Pro as a Staff Writer, Benedict transitioned his focus towards cybersecurity, exploring state-sponsored threat actors, malware, social engineering, and national security. Benedict is also an expert on B2B security products, including firewalls, antivirus, endpoint security, and password management.

Mount-It Electric Standing Desk review

One more AMD eGPU docking station goes on sale — but it doesn’t have USB 4.0, can’t accommodate an M.2 SSD and requires an OCuLink connector to feed the RX 7600M XT chip

7 myths about email security everyone should stop believing