Cybercrooks Are Phishing Retail Staff to Redeem Gift Cards, FBI Warns

The FBI has issued a private industry notification warning retailers that cybercriminals are duping staff into providing access to gift card generators, inflicting financial damage.

As of January 2023, a group named STORM-0539, also known as Atlas Lion, has been targeting retail stores across the US using phishing and smishing (SMS phishing) tricks to gain access to gift card departments.

The group specializes in gaining unauthorized access to employee accounts and corporate systems.

“Once they gained access, STORM-0539 actors used phishing campaigns to target other employees to elevate network access and target the gift card department in order to create fraudulent gift cards,” the notice reads.

A full-fledged operation

The perps use a sophisticated phishing kit with the ability to bypass multi-factor authentication, then conduct reconnaissance on the network to identify the gift card business process and then pivot to employee accounts covering that specific portfolio.

Once in the network, the attackers seek secure shell (SSH) passwords and keys, in addition to employee credentials in the gift card department.

After gaining access to the target department, the group starts creating all-new gift cards using compromised employee accounts, then redeem the value associated with those cards.

“In one instance, a corporation detected STORM-0539’s fraudulent gift card activity in their system, and instituted changes to prevent the creation of fraudulent gift cards,” according to the notice. “STORM-0539 actors continued their smishing attacks and regained access to corporate systems. Then, the actors pivoted tactics to locating unredeemed gift cards, and changed the associated email addresses to ones controlled by STORM-0539 actors in order to redeem the gift cards.”

Where possible, the hackers use their unauthorized access to pilfer employee data, including names, usernames and phone numbers, “which could be exploited by the actors for additional attacks or sold for financial gain,” the agency warns.

The bureau urges retailers across the US to teach staff how smishing/phishing scams work, how to identify them, and how to report them. Retailers are also to require multi-factor authentication on as many accounts and login credentials as possible, and to use phishing-proof authentication options.

The notice also instructs retailers to enforce a strong password policy, adopt the principle of least privilege throughout the network, and employ anti-virus and anti-malware solutions.

The gift that keeps on taking

Gift cards are hot targets for cybercriminals, as evidenced by the multitude of scams surrounding the popular gaming platform Steam.

Gift cards also serve as a lucrative linchpin for tech support scams, where fraudsters call up random victims posing as help desk employees, warning that their computer is infected with malware. The scammers then prompt the victims to pay for “virus removal” by sharing the code off a scratch card bought at the local store.

Some countries are making a push to thwart the phenomenon. For instance, the Echizen Police in Fukui, Japan, are placing dummy payment cards across the prefecture’s convenience stores in a bid to thwart support scammers preying on the elderly.

According to the Bitdefender 2024 Consumer Cybersecurity Assessment Report, SMS scams are the most common cyber-threat people face today. Yet four in five netizens make sensitive transactions on their phones, while at the same time failing to exercise adequate cybersecurity practices.

Bitdefender Scamio is a free scam detector and prevention service for anyone with a Bitdefender account. Suspicious about a certain phone call, email, or SMS? Simply describe the situation to our clever chatbot and let it guide you to safety. You can share with Scamio the exact thing you want to check, such as a screenshot, PDF, QR code, or link. Scamio lets you know in seconds if it’s a sham.