FBI warns of fraudsters targeting gift card systems


The Federal Bureau of Investigation (FBI) has warned of heightened cybercriminal activity against employees at US retail corporate offices. Hackers are trying to overtake gift card systems and issue gift cards themselves.

The threat actor labeled STORM-0539, also known as Atlas Lion, is targeting US retail corporations, specifically the gift card departments located in their corporate offices, according to the report.

As of January 2024, STORM-0539 used smishing (a fraudulent practice of sending text messages) campaigns targeting employees. Once they gained unauthorized access to employee accounts and corporate systems, hackers continued reconnaissance and phishing campaigns until they elevated network access with the goal of targeting the gift card department.

Hackers, once in the network, attempt to access secure shell (SSH) passwords and keys in addition to targeting the credentials of employees in the gift card department.

Finally, STORM-0539 used compromised accounts to create fraudulent gift cards, resulting in financial loss to the company.

Cybercrooks were observed targeting employees' personal and work mobile phones. They used a sophisticated phishing kit that was able to bypass multi-factor authentication (MFA).

“In one instance, a corporation detected STORM-0539’s fraudulent gift card activity in their system, and instituted changes to prevent the creation of fraudulent gift cards. STORM-0539 actors continued their smishing attacks and regained access to corporate systems. Then, the actors pivoted tactics to locating unredeemed gift cards, and changed the associated email addresses to ones controlled by STORM-0539 actors in order to redeem the gift cards,” FBI’s notification reads.

The FBI recommends organizations review and make sure their incident response plans are updated. The suggested strategies mostly consist of basic cybersecurity hygiene, such as requiring multi-factor authentication, enforcing a strong password policy, employing anti-virus solutions, implementing network monitoring tools, providing education and training, and others.

It’s important to understand phishing techniques and to stop the phishing attack cycle at phase one – CISA has released guidance for network defenders and software manufacturers.