FBI Warns Retailers of Increased Phishing Attacks on Corporate Offices

A threat to US retail corporate offices is outlined in a Private Industry Notification (PIN) by the FBI. Since January 2024, the threat group STORM-0539 (also known as Atlas Lion) has been actively targeting employees in the gift card departments of these corporations through phishing and SMS phishing (smishing) campaigns. Their primary objective is to create fraudulent gift cards, leading to significant financial losses for the affected businesses. STORM-0539 has employed smishing campaigns to compromise employees' personal and work mobile devices, bypassing multi-factor authentication with advanced phishing kits.

Once the threat actors gained initial access, they conducted reconnaissance within the network, specifically targeting the gift card business process. By escalating their access and pivoting to compromised employee accounts within the gift card departments, they managed to create and redeem fraudulent gift cards, causing financial and operational disruptions. In one notable instance, even after a corporation detected and attempted to halt STORM-0539’s fraudulent activities by altering their systems, the group regained access. They then modified unredeemed gift cards by changing the associated email addresses to those under their control, facilitating the theft of funds.

This consistency in STORM-0539's campaign was corroborated by a Microsoft report from December 2023, which observed a surge in the group's activities during the holiday shopping season. Microsoft reported that STORM-0539 used URLs leading to adversary-in-the-middle (AiTM) pages to steal credentials and session tokens. By registering their devices for secondary authentication prompts, they bypassed multi-factor authentication, maintaining persistent access in the network. This allowed them to escalate privileges, move laterally, and access cloud resources to further their fraudulent activities with gift cards.