{"id":3716,"date":"2024-05-23T08:00:00","date_gmt":"2024-05-23T13:00:00","guid":{"rendered":"https:\/\/cyberscoop.com\/?p=80511"},"modified":"2024-05-23T08:00:00","modified_gmt":"2024-05-23T13:00:00","slug":"moroccan-cybercrime-group-impersonates-nonprofits-and-abuses-cloud-services-to-rake-in-gift-card-cash","status":"publish","type":"post","link":"https:\/\/ddi.mohflo.net\/index.php\/2024\/05\/23\/moroccan-cybercrime-group-impersonates-nonprofits-and-abuses-cloud-services-to-rake-in-gift-card-cash\/","title":{"rendered":"Moroccan cybercrime group impersonates nonprofits and abuses cloud services to rake in gift card cash"},"content":{"rendered":"<p><head> <meta charset=\"UTF-8\"> <meta name=\"viewport\" content=\"width=device-width, initial-scale=1\"> <meta name=\"robots\" content=\"index, follow, max-image-preview:large, max-snippet:-1, max-video-preview:-1\"> <!-- This site is optimized with the Yoast SEO Premium plugin v21.7 (Yoast SEO v21.7) - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ --> <title>Moroccan cybercrime group impersonates nonprofits and abuses cloud services to rake in gift card cash | CyberScoop<\/title> <meta name=\"description\" content=\"Microsoft researchers say the group, tracked as Storm-0539 or Atlas Lion, targets employees with major U.S. retailers who control gift card operations.\"> <link rel=\"canonical\" href=\"https:\/\/cyberscoop.com\/moroccan-cybercrime-group-impersonates-nonprofits-and-abuses-cloud-services-to-rake-in-gift-card-cash\/\"> <meta property=\"og:locale\" content=\"en_US\"> <meta property=\"og:type\" content=\"article\"> <meta property=\"og:title\" content=\"Moroccan cybercrime group impersonates nonprofits and abuses cloud services to rake in gift card cash\"> <meta property=\"og:description\" content=\"Microsoft researchers say the group, tracked as Storm-0539 or Atlas Lion, targets employees with major U.S. retailers who control gift card operations.\"> <meta property=\"og:url\" content=\"https:\/\/cyberscoop.com\/moroccan-cybercrime-group-impersonates-nonprofits-and-abuses-cloud-services-to-rake-in-gift-card-cash\/\"> <meta property=\"og:site_name\" content=\"CyberScoop\"> <meta property=\"article:published_time\" content=\"2024-05-23T13:00:00+00:00\"> <meta property=\"article:modified_time\" content=\"2024-05-23T13:08:15+00:00\"> <meta property=\"og:image\" content=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/05\/moroccan-cybercrime-group-impersonates-nonprofits-and-abuses-cloud-services-to-rake-in-gift-card-cash-2.jpg\"> <meta property=\"og:image:width\" content=\"1920\"> <meta property=\"og:image:height\" content=\"1280\"> <meta property=\"og:image:type\" content=\"image\/jpeg\"> <meta name=\"author\" content=\"AJ Vicens\"> <meta name=\"twitter:card\" content=\"summary_large_image\"> <meta name=\"twitter:creator\" content=\"@AJVicens\"> <!-- \/ Yoast SEO Premium plugin. --> <link rel=\"dns-prefetch\" href=\"\/\/securepubads.g.doubleclick.net\">\n<link rel=\"dns-prefetch\" href=\"\/\/use.typekit.net\">\n<link rel=\"alternate\" type=\"application\/rss+xml\" title=\"CyberScoop \u00bb Feed\" href=\"https:\/\/cyberscoop.com\/feed\/\">\n<link rel=\"alternate\" type=\"application\/rss+xml\" title=\"CyberScoop \u00bb Comments Feed\" href=\"https:\/\/cyberscoop.com\/comments\/feed\/\"> <link rel=\"stylesheet\" id=\"all-css-2\" href=\"https:\/\/cyberscoop.com\/wp-includes\/css\/dist\/block-library\/style.min.css?m=1715117951g\" type=\"text\/css\" media=\"all\"> <link rel=\"stylesheet\" id=\"all-css-6\" href=\"https:\/\/cyberscoop.com\/wp-content\/mu-plugins\/search\/elasticpress\/dist\/css\/related-posts-block-styles.min.css?m=1715115084g\" type=\"text\/css\" media=\"all\"> <link rel=\"stylesheet\" id=\"all-css-8\" href=\"https:\/\/cyberscoop.com\/wp-content\/themes\/scoopnewsgroup\/dist\/css\/frontend.css?m=1716385020g\" type=\"text\/css\" media=\"all\">\n<link rel=\"stylesheet\" id=\"typekit-css\" href=\"https:\/\/use.typekit.net\/itk2qbh.css?ver=74528d75ce0daeb8628a\" media=\"all\"> <link rel=\"https:\/\/api.w.org\/\" href=\"https:\/\/cyberscoop.com\/wp-json\/\"><link rel=\"alternate\" type=\"application\/json\" href=\"https:\/\/cyberscoop.com\/wp-json\/wp\/v2\/posts\/80511\"><link rel=\"EditURI\" type=\"application\/rsd+xml\" title=\"RSD\" href=\"https:\/\/cyberscoop.com\/xmlrpc.php?rsd\">\n<meta name=\"generator\" content=\"WordPress 6.5.3\">\n<link rel=\"shortlink\" href=\"https:\/\/cyberscoop.com\/?p=80511\">\n<link rel=\"alternate\" type=\"application\/json+oembed\" href=\"https:\/\/cyberscoop.com\/wp-json\/oembed\/1.0\/embed?url=https%3A%2F%2Fcyberscoop.com%2Fmoroccan-cybercrime-group-impersonates-nonprofits-and-abuses-cloud-services-to-rake-in-gift-card-cash%2F\">\n<link rel=\"alternate\" type=\"text\/xml+oembed\" href=\"https:\/\/cyberscoop.com\/wp-json\/oembed\/1.0\/embed?url=https%3A%2F%2Fcyberscoop.com%2Fmoroccan-cybercrime-group-impersonates-nonprofits-and-abuses-cloud-services-to-rake-in-gift-card-cash%2F&amp;format=xml\"> <!-- Google Tag Manager --> <!-- End Google Tag Manager --> <link rel=\"icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=32\" sizes=\"32x32\">\n<link rel=\"icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=192\" sizes=\"192x192\">\n<link rel=\"apple-touch-icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=180\">\n<meta name=\"msapplication-TileImage\" content=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=270\"> <\/head><body class=\"post-template-default single single-post postid-80511 single-format-standard\" id=\"readabilityBody\"> <a href=\"https:\/\/cyberscoop.com\/moroccan-cybercrime-group-impersonates-nonprofits-and-abuses-cloud-services-to-rake-in-gift-card-cash\/#main\" class=\"skip-to-content-link visually-hidden-focusable\">Skip to main content<\/a> <\/p>\n<div class=\"ad ad--top ad--top-desktop\">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p> <main id=\"main\" role=\"main\" tabindex=\"-1\"> <\/p>\n<div class=\"ad ad--top ad--top-mobile\">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<section id=\"stickybar\" class=\"stickybar stickybar--newsletter js-stickybar\" readability=\"0.82\"> <button class=\"stickybar__close js-stickybar-close\" aria-controls=\"stickybar\"> <svg class=\"icon icon--close\" width=\"21\" height=\"22\" viewBox=\"0 0 21 22\" fill=\"none\"><path d=\"m.822.518-.805.805L9.695 11 .017 20.678l.805.805 9.678-9.678 9.677 9.678.806-.805L11.305 11l9.678-9.677-.806-.805-9.677 9.677L.822.518Z\" fill=\"currentColor\" \/><\/svg> <span class=\"visually-hidden\">Close<\/span> <\/button> <\/section>\n<article class=\"single-article content\">\n<div class=\"single-article__container js-single-article-content\">\n<header class=\"single-article__header \" readability=\"26.219362745098\">\n<div class=\"single-article__header-content\" readability=\"32.706896551724\">\n<ul class=\"single-article__eyebrow\">\n<li class=\"single-article__category\"> <a class=\"single-article__category-link\" href=\"https:\/\/cyberscoop.com\/news\/threats\/cybercrime\/\"> <span>Cybercrime<\/span> <\/a> <\/li>\n<\/ul>\n<p> Microsoft researchers say the group, tracked as Storm-0539 or Atlas Lion, targets employees with major U.S. retailers who control gift card operations. <\/p>\n<\/p><\/div>\n<div class=\"single-article__cover-wrap\">\n<figure class=\"single-article__cover\"> <img data-recalc-dims=\"1\" fetchpriority=\"high\" width=\"640\" height=\"426\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/05\/moroccan-cybercrime-group-impersonates-nonprofits-and-abuses-cloud-services-to-rake-in-gift-card-cash.jpg?resize=640%2C426&#038;ssl=1\" class=\"single-article__cover-image wp-post-image\" alt decoding=\"async\" fetchpriority=\"high\" srcset=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/05\/moroccan-cybercrime-group-impersonates-nonprofits-and-abuses-cloud-services-to-rake-in-gift-card-cash-2.jpg 1920w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/05\/moroccan-cybercrime-group-impersonates-nonprofits-and-abuses-cloud-services-to-rake-in-gift-card-cash-2.jpg?resize=300,200 300w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/05\/moroccan-cybercrime-group-impersonates-nonprofits-and-abuses-cloud-services-to-rake-in-gift-card-cash-2.jpg?resize=768,512 768w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/05\/moroccan-cybercrime-group-impersonates-nonprofits-and-abuses-cloud-services-to-rake-in-gift-card-cash-2.jpg?resize=1024,683 1024w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/05\/moroccan-cybercrime-group-impersonates-nonprofits-and-abuses-cloud-services-to-rake-in-gift-card-cash-2.jpg?resize=1536,1024 1536w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/05\/moroccan-cybercrime-group-impersonates-nonprofits-and-abuses-cloud-services-to-rake-in-gift-card-cash-2.jpg?resize=600,400 600w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/05\/moroccan-cybercrime-group-impersonates-nonprofits-and-abuses-cloud-services-to-rake-in-gift-card-cash-2.jpg?resize=252,168 252w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/05\/moroccan-cybercrime-group-impersonates-nonprofits-and-abuses-cloud-services-to-rake-in-gift-card-cash-2.jpg?resize=506,337 506w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/05\/moroccan-cybercrime-group-impersonates-nonprofits-and-abuses-cloud-services-to-rake-in-gift-card-cash-2.jpg?resize=1013,675 1013w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/05\/moroccan-cybercrime-group-impersonates-nonprofits-and-abuses-cloud-services-to-rake-in-gift-card-cash-2.jpg?resize=1265,843 1265w\" sizes=\"(max-width: 1013px) 100vw, 1013px\"><figcaption> Credit cards and dollar bills. a blue plastic bank card is lying on a pile of American dollars. (\tDiy13\/Getty Images) <\/figcaption><\/figure>\n<\/p><\/div>\n<\/header>\n<div class=\"single-article__content\">\n<div class=\"single-article__content-inner has-drop-cap\"> <html readability=\"42.91397601476\"><body readability=\"87.133757961783\"><\/p>\n<p>A highly successful, financially motivated crime group has been impersonating nonprofit organizations to obtain reduced rates or even free access to cloud accounts, which it then uses to operate an increasing number of gift card theft scams targeting top U.S. retailers, researchers with Microsoft said Thursday.<\/p>\n<p>The researchers said activity tied to the group, tracked by Microsoft as Storm-0539 or Atlas Lion and active since late 2021, has increased 30% between since March, following a 60% increase in intrusion activity between September and December of 2023, according to research compiled by Microsoft and set to be presented <a href=\"https:\/\/www.sleuthcon.com\/into-the-lions-den-a-deep-dive-into-storm-0539\">at the annual Sleuthcon cybercrime conference Friday<\/a>.<\/p>\n<p>The group specializes in targeting major retailers, mostly in the United States, by focusing on key employees or offices within those companies that control payment and gift card operations. After successfully phishing those employees, the attackers gain the ability to navigate intricate cloud environments, as well as specific company procedures, to maximize the amount of money that can be stolen via fraudulently issued payment or gift cards.<\/p>\n<p>The <a href=\"https:\/\/www.ic3.gov\/Media\/News\/2024\/240507.pdf\">FBI warned in a May 2024 notification<\/a> that the group has been highly successful in targeting key employees\u2019 personal and work cell phones, bypassing multi-factor authentication protocols by adding their own phones to systems to retain persistence. In one case a retailer noticed Storm-0539 activity and stopped some of it, but the group was able to continue its attack and targeted unredeemed gift cards.<\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>The group, believed to be no more than a dozen people, is unique in the cybercrime ecosystem given that they\u2019re based in Morocco, have adept knowledge and use of cloud environments and don\u2019t rely on malware, said Emiel Haeghebaert, a senior hunt analyst at the Microsoft Threat Intelligence Center and one of the key analysts on the research.<\/p>\n<p>\u201cThey essentially log in instead of break in,\u201d he said of the group, which marks a sharp evolution from the years-old tactic of attaching physical skimmers to point-of-sale terminals to copy credit card numbers.&nbsp;<\/p>\n<p>Haeghebaert said Microsoft has observed the group creating domains to pose as legitimate nonprofit organizations, such as animal shelters and charities in the U.S. and Europe, and even obtain copies of correspondence with the Internal Revenue Service that designate those groups as legitimate nonprofit organizations. With those materials, the group gets discounted or free cloud services, which they then use to host virtual machines and other infrastructure tied to their operations.&nbsp;<\/p>\n<p>The group\u2019s reconnaissance and ability to leverage cloud environments \u201care similar to what Microsoft observes from nation-state-sponsored threat actors,\u201d Haeghebaert and the other researchers wrote in the <a href=\"https:\/\/news.microsoft.com\/cyber-signals\/\">company\u2019s May 2024 Cyber Signals report<\/a>, which focuses on the latest major threats the company is seeing.<\/p>\n<p>Haeghebaert said it\u2019s not clear how much money the group has been able to steal, but noted that they are quite successful at understanding individual companies\u2019 gift card policies, including how much the policies allow to be issued, and then&nbsp; staying just under that threshold.<\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>Companies can go a long way in defending themselves against this strain of attack by employing defenses they should be using anyway, Haeghebaert said, such as enabling MFA for all employees and implementing the principle of least privilege, where employee access is limited to functions they need to access for work.&nbsp;<\/p>\n<p>Companies should also treat their gift card portals and infrastructure as high-value targets, and should understand what baseline activity looks like in terms of employees who work on those networks. For instance, if an employee account typically logs in from Maryland between 9 a.m. and 5 p.m. Eastern Standard Time, \u201csomeone from Morocco at 2 a.m. shouldn\u2019t be logging into your account,\u201d he said. \u201cSomething like that should be flagged as anomalous \u2026 something like that would be extremely effective against this group.\u201d<\/p>\n<p><\/body> <\/p>\n<footer class=\"single-article__footer\" readability=\"1.0790513833992\">\n<div class=\"author-card\" readability=\"8\">\n<div class=\"author-card__avatar\">\n<figure class=\"author-card__image-wrap\"> <img data-recalc-dims=\"1\" decoding=\"async\" class=\"author-card__image\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/05\/moroccan-cybercrime-group-impersonates-nonprofits-and-abuses-cloud-services-to-rake-in-gift-card-cash-1.jpg?w=640&#038;ssl=1\" alt=\"AJ Vicens\"> <\/figure>\n<\/p><\/div>\n<p><h4 class=\"author-card__name\">Written by AJ Vicens<\/h4>\n<p> AJ covers nation-state threats and cybercrime. He was previously a reporter at Mother Jones. Get in touch via Signal\/WhatsApp: (810-206-9411). <\/p>\n<\/p><\/div>\n<div class=\"single-article__tags-container\">\n<h4 class=\"single-article__tags-title\">In This Story<\/h4>\n<\/p><\/div>\n<\/footer>\n<p> <\/html><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"single-article__ads js-single-article-sidebar\">\n<div class=\"ad ad--sidebar js-single-article-sidebar-5 ad--rightrail_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div class=\"ad ad--sidebar js-single-article-sidebar-4 ad--rightrail_2 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div class=\"ad ad--sidebar js-single-article-sidebar-3 ad--rightrail_3 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div><\/div>\n<\/article>\n<section class=\"latest-podcasts\">\n<h2 class=\"latest-podcasts__title\"> Latest Podcasts\t<\/h2>\n<\/section>\n<div class=\"top-categories\">\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Government<\/h3>\n<\/p><\/div>\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Technology<\/h3>\n<\/p><\/div>\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Geopolitics<\/h3>\n<\/p><\/div>\n<\/p><\/div>\n<p> <\/main> <\/p>\n<div class=\"ad ad--bottom \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div id=\"interstitial\" class=\"welcome__container\"> <button id=\"close-modal-1\" class=\"welcome__clickable_area\"><\/button> <\/p>\n<div class=\"welcome__ad_wrapper\">\n<p> <button id=\"close-modal-3\" class=\"welcome__continue-button\">Continue to CyberScoop<\/button> <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<p> <!-- Start of HubSpot Embed Code --> <!-- End of HubSpot Embed Code --> <\/body> <a href=\"https:\/\/cyberscoop.com\/moroccan-cybercrime-group-impersonates-nonprofits-and-abuses-cloud-services-to-rake-in-gift-card-cash\/\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Moroccan cybercrime group impersonates nonprofits and abuses cloud services to<\/p>\n","protected":false},"author":11,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[2094,282,625,1396,2095,2096],"tags":[2097,286,630,1397,2098,2099],"class_list":["post-3716","post","type-post","status-publish","format-standard","hentry","category-atlas-lion","category-cybercrime","category-microsoft","category-multi-factor-authentication-mfa","category-sleuthcon","category-storm-0539","tag-atlas-lion","tag-cybercrime","tag-microsoft","tag-multi-factor-authentication-mfa","tag-sleuthcon","tag-storm-0539"],"featured_image_urls":{"full":"","thumbnail":"","medium":"","medium_large":"","large":"","1536x1536":"","2048x2048":"","chromenews-featured":"","chromenews-large":"","chromenews-medium":""},"author_info":{"display_name":"Cyber Scoop","author_link":"https:\/\/ddi.mohflo.net\/index.php\/author\/cyberscoop\/"},"category_info":"<a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/atlas-lion\/\" rel=\"category tag\">Atlas Lion<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/cybercrime\/\" rel=\"category tag\">cybercrime<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/microsoft\/\" rel=\"category tag\">Microsoft<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/multi-factor-authentication-mfa\/\" rel=\"category tag\">multi-factor authentication (MFA)<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/sleuthcon\/\" rel=\"category tag\">Sleuthcon<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/storm-0539\/\" rel=\"category tag\">Storm-0539<\/a>","tag_info":"Storm-0539","comment_count":"0","jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/3716","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/users\/11"}],"replies":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/comments?post=3716"}],"version-history":[{"count":0,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/3716\/revisions"}],"wp:attachment":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/media?parent=3716"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/categories?post=3716"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/tags?post=3716"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}