Moroccan cybercrime group impersonates nonprofits and abuses cloud services to rake in gift card cash
A highly successful, financially motivated crime group has been impersonating nonprofit organizations to obtain reduced rates or even free access to cloud accounts, which it then uses to operate an increasing number of gift card theft scams targeting top U.S. retailers, researchers with Microsoft said Thursday.
The researchers said activity tied to the group, tracked by Microsoft as Storm-0539 or Atlas Lion and active since late 2021, has increased 30% between since March, following a 60% increase in intrusion activity between September and December of 2023, according to research compiled by Microsoft and set to be presented at the annual Sleuthcon cybercrime conference Friday.
The group specializes in targeting major retailers, mostly in the United States, by focusing on key employees or offices within those companies that control payment and gift card operations. After successfully phishing those employees, the attackers gain the ability to navigate intricate cloud environments, as well as specific company procedures, to maximize the amount of money that can be stolen via fraudulently issued payment or gift cards.
The FBI warned in a May 2024 notification that the group has been highly successful in targeting key employees’ personal and work cell phones, bypassing multi-factor authentication protocols by adding their own phones to systems to retain persistence. In one case a retailer noticed Storm-0539 activity and stopped some of it, but the group was able to continue its attack and targeted unredeemed gift cards.
The group, believed to be no more than a dozen people, is unique in the cybercrime ecosystem given that they’re based in Morocco, have adept knowledge and use of cloud environments and don’t rely on malware, said Emiel Haeghebaert, a senior hunt analyst at the Microsoft Threat Intelligence Center and one of the key analysts on the research.
“They essentially log in instead of break in,” he said of the group, which marks a sharp evolution from the years-old tactic of attaching physical skimmers to point-of-sale terminals to copy credit card numbers.
Haeghebaert said Microsoft has observed the group creating domains to pose as legitimate nonprofit organizations, such as animal shelters and charities in the U.S. and Europe, and even obtain copies of correspondence with the Internal Revenue Service that designate those groups as legitimate nonprofit organizations. With those materials, the group gets discounted or free cloud services, which they then use to host virtual machines and other infrastructure tied to their operations.
The group’s reconnaissance and ability to leverage cloud environments “are similar to what Microsoft observes from nation-state-sponsored threat actors,” Haeghebaert and the other researchers wrote in the company’s May 2024 Cyber Signals report, which focuses on the latest major threats the company is seeing.
Haeghebaert said it’s not clear how much money the group has been able to steal, but noted that they are quite successful at understanding individual companies’ gift card policies, including how much the policies allow to be issued, and then staying just under that threshold.
Companies can go a long way in defending themselves against this strain of attack by employing defenses they should be using anyway, Haeghebaert said, such as enabling MFA for all employees and implementing the principle of least privilege, where employee access is limited to functions they need to access for work.
Companies should also treat their gift card portals and infrastructure as high-value targets, and should understand what baseline activity looks like in terms of employees who work on those networks. For instance, if an employee account typically logs in from Maryland between 9 a.m. and 5 p.m. Eastern Standard Time, “someone from Morocco at 2 a.m. shouldn’t be logging into your account,” he said. “Something like that should be flagged as anomalous … something like that would be extremely effective against this group.”
