A group of Moroccan hackers dubbed Storm-0539 has been running a gift card fraud via sophisticated email and SMS phishing attacks. The group was highlighted in Microsoft’s latest Cyber Signals report and reportedly stole up to $100,000 daily at certain companies.
The attack abuses initial access from unsuspecting victims to register the hackers’ devices, bypassing authentication and gaining persistent access. Once there, the hackers can elevate privileges and compromise gift-card-related services by creating fake gift cards to further the scam. The attack chain is further designed to access the victim’s cloud environment, letting the attacker perform recon and potentially weaponise the infrastructure to facilitate fraud. Campaign targets include large-scale retailers, luxury brands, and well-known fast-food chains.
The endgame is to either redeem these bogus gift cards for their value, sell them on the black market, or simply cash the cards out. Microsoft claims it has observed a 30% increase in the group’s activity between March and May 2024 and a 60% increase between September and December 2023.

Another factor that adds legitimacy to Storm-0539’s phishing campaign is that the group often uses legitimate internal company mailing lists to send phishing messages after gaining initial access. Reports of the groups creating free trials or student accounts on cloud service platforms to set up new websites have also surfaced. Additionally, the attack goes beyond just stealing the credentials of the gift-card department personnel, often attempting to gain SSH access and keys, which can be later sold to other threat actors or used for follow-up attacks.
This isn’t the first time Storm-0539 has popped up on Microsoft’s radar. The Windows maker has been tracking the group since at least December 2023, when it linked it to social engineering campaigns ahead of the holiday season that involved stealing credentials and browser session tokens via Man-In-The-Middle phishing pages. The group is also known as Atlast Lion and has been active since at least 2021.
The group also has an extensive history of stealing payment card data by deploying malware on point-of-sale (PoS) devices. Storm-0593 is now using its extensive knowledge of the cloud to shift tactics and switch to stealing gift cards instead.
Storm-0539 is also being eyed by the Feds. The FBI issued an advisory warning of phishing attacks from the groups targeting gift-card departments of popular retail corporations using a “sophisticated phishing kit with the ability to bypass multi-factor authentication.”
In the News: Google tests biometric login and Remote Lock in Find My Device