Image: Midjourney

The FBI warned retail companies in the United States that a financially motivated hacking group has been targeting employees in their gift card departments in phishing attacks since at least January 2024.

Tracked as Storm-0539, this hacking group targets the personal and work mobile devices of retail department staff using a sophisticated phishing kit that enables them to bypass multi-factor authentication.

Upon infiltrating an employee's account, the attackers move laterally through the network, trying to identify the gift card business process and pivoting towards compromised accounts linked to this specific portfolio.

In addition to stealing the login credentials of gift card department personnel, their efforts extend to acquiring secure shell (SSH) passwords and keys. Together with stolen employee information such as names, usernames, and phone numbers, these could be sold for financial gain or exploited by Storm-0539 in future attacks.

Should the hackers succeed in breaching the victim's corporate gift card department, they use compromised employee accounts to generate fraudulent gift cards.

"In one instance, a corporation detected STORM-0539's fraudulent gift card activity in their system, and instituted changes to prevent the creation of fraudulent gift cards," the FBI said in a Private Industry Notification [PDF] issued this week.

"STORM-0539 actors continued their smishing attacks and regained access to corporate systems. Then, the actors pivoted tactics to locating unredeemed gift cards, and changed the associated email addresses to ones controlled by STORM-0539 actors in order to redeem the gift cards."

How to defend against Storm-0539's attacks

The FBI advises retail corporations across the United States to review and update their incident response plans and consider training their employees to recognize phishing scams and to not share sensitive information like credentials via email, chat, or phone calls to reduce the risk and impact of such phishing attacks.

Potential targets must also require multi-factor authentication wherever possible, use up-to-date antivirus and anti-malware solutions, implement strong password policies, and enforce the principle of least privilege across their networks.

The FBI's PIN follows a mid-December warning from Microsoft, which cautioned of a surge in Storm-0539 gift card fraud and theft attacks during the holiday season.

"After gaining access to an initial session and token, Storm-0539 registers their own device for subsequent secondary authentication prompts, bypassing MFA protections and persisting in the environment using the fully compromised identity," Microsoft said.

"With each successful compromise, Storm-0539 escalates privileges, moves laterally, and accesses cloud resources to collect specific information. Storm-0539 enumerates internal resources and identifies gift card-related services that can be used for gift card fraud."