Spokesmen from Microsoft https://www.microsoft.com are warning of an increase in malicious activity from an emerging threat cluster it is tracking as Storm-0539 for directing gift card fraud and theft via highly sophisticated email and SMS phishing attacks against retail entities during the holiday shopping season. The goal of the attacks is to propagate booby-trapped links that direct victims to Adversary-in-the-Middle (AiTM) phishing pages that can harvest their credentials and session tokens. After gaining access to an initial session and token, Storm-0539 registers their own device for subsequent secondary authentication prompts, bypassing MFA protections and persisting in the environment using the fully compromised identity.
See: https://redskyalliance.org/xindustry/scammers-want-to-shop-with-your-gift-cards
The foothold gained in this manner further acts as a conduit for escalating privileges, moving laterally across the network, and accessing cloud resources in order to grab sensitive information, specifically going after gift card-related services to facilitate fraud. In addition, Storm-0539 collects emails, contact lists, and network configurations for follow-on attacks against the same organizations, necessitating the need for robust credential hygiene practices.
Noted in its monthly Microsoft 365 Defender report published in November 2023, described the adversary as a financially motivated group that has been active since at least 2021. Storm-0539 carries out extensive reconnaissance of targeted organizations to craft convincing phishing lures and steal user credentials and tokens for initial access. The actor is well-versed in cloud providers and leverages resources from the target organization's cloud services for post-compromise activities.
The disclosure comes days after the company said it obtained a court order to seize the infrastructure of a Vietnamese cybercriminal group called Storm-1152 that sold access to approximately 750 million fraudulent Microsoft accounts as well as identity verification bypass tools for other technology platforms.
See: https://redskyalliance.org/xindustry/microsoft-disrupts-cybercrime-service
Recently, Microsoft spokesmen also warned that multiple threat actors are abusing OAuth applications to automate financially motivated cybercrimes, such as Business Email Compromise (BEC), phishing, large-scale spamming campaigns, and deploy virtual machines to illicitly mine for cryptocurrencies.
This article is presented at no charge for educational and informational purposes only.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. Call for assistance. For questions, comments, a demo or assistance, please contact the office directly at 1-844-492-7225, or feedback@redskyalliance.com
Weekly Cyber Intelligence Briefings:
Reporting: https://www.redskyalliance.org/
Website: https://www.redskyalliance.com/
LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://attendee.gotowebinar.com/register/5993554863383553632
Comments