Cyber Criminals Phishing and Smishing US Retail Corporations for Gift Card Fraud

A cybercriminal group, known as STORM-0539, has been targeting employees at US retail corporate offices to create fraudulent gift cards, according to a new advisory from the FBI. In the campaigns observed by the FBI, the group is using smishing to target employees and gain unauthorized access to employee accounts and corporate systems. Once an employee’s account is compromised, STORM-0539 will conduct reconnaissance on the business network to identify the gift card business process and pivot to employee accounts covering that specific portfolio. After obtaining the credentials of employees working at the corporate gift card department via phishing, the actor will proceed to use that access to create fraudulent gift cards.

“In one instance, a corporation detected STORM-0539’s fraudulent gift card activity in their system, and instituted changes to prevent the creation of fraudulent gift cards. STORM-0539 actors continued their smishing attacks and regained access to corporate systems. Then, the actors pivoted tactics to locating unredeemed gift cards, and changed the associated email addresses to ones controlled by STORM-0539 actors in order to redeem the gift cards” stated the FBI in its advisory.

Security Officer Comments:
The development comes after Microsoft warned of an uptick in activity from this group during the 2023 holiday shopping season, where the group was observed using emails and SMS to direct victims in the retail sector to phishing pages designed to harvest credentials and session tokens. Typically when STORM-0539 gains access to employee sessions, the actor will register their own device to receive subsequent secondary authentication prompts as a means to bypass MFA protections in place. In addition to harvesting employee credentials, this group is known for acquiring SSH passwords and keys, as well as exfiltrating data from employees including names, usernames and phone numbers, which can be leveraged for additional attacks or sold for profit to other cybercriminals interested in performing similar gift card fraud operations.

Suggested Corrections:
The FBI recommends organizations review and make sure their incident response plans are updated. In addition, the following mitigation strategies can be considered to help reduce the risk of and impact from smishing/phishing campaigns:

  • Provide education and training for employees on how smishing/phishing scams work, how to identify them, and how to report them. Ensure there is mechanism and process for employees to report smishing/phishing attacks.
  • Provide education to employees regarding being cautious about sharing sensitive information, including login credentials, when communicating via phone or web-based programs and not clicking on suspicious links. Requests for sensitive information should be verified through alternative approved methods. Urgent requests via SMS should be treated with caution.
  • Require multi-factor authentication on as many accounts and login credentials as possible. When practical, use phishing-resistant authentication options.
  • Employ anti-virus and anti-malware solutions and make sure they are updated regularly.
  • Enforce a strong password policy, such as requiring strong and unique passwords for all password-protected accounts, employing lock-out rules for failed login attempts, restricting the reuse of passwords, and requiring the secure storage of passwords.
  • Consider using network and end-point SMS filtering and anti-phishing tools.
  • Implement security monitoring tools that log network traffic to establish baseline activity, and that enable detecting and addressing abnormal network activity, including lateral movement on a network.
  • Enforce principle of least privilege throughout the organization’s network. Account privileges should be clearly defined and regularly reviewed and adjusted as necessary.
  • Maintain and enforce a Bring Your Own Device policy (BYOD). Provide education and training to employees on the BYOD policy. Phishing Guidance: Stopping the Attack Cycle at Phase One: CISA Phishing Guidance