The Federal Bureau of Investigation (FBI) has issued a Private Industry Notification (PIN) to warn about a rising trend in cybercriminal activity targeting employees at U.S. retail corporate offices. These criminals are employing phishing and Short Message Service (SMS) phishing, also known as “smishing,” to generate fraudulent gift cards, leading to significant financial losses. The FBI urges private sector partners to implement the recommended strategies in the “Mitigations” section to minimize the risk and impact of similar attacks.
Threat Overview
As of January 2024, the FBI has identified a cybercriminal group known as STORM-0539, or Atlas Lion, which is actively targeting national retail corporations, particularly the gift card departments within their corporate offices. The group utilizes smishing campaigns to gain unauthorized access to employee accounts and corporate systems. Once inside the network, STORM-0539 escalates their attacks through phishing campaigns, targeting additional employees to gain further access and specifically exploit the gift card departments.
The group employs several techniques, tactics, and procedures (TTPs), including:
- Smishing Campaigns: Targeting employees’ personal and work mobile phones in retail departments to compromise accounts.
- Phishing Kit: Utilizing a sophisticated phishing kit capable of bypassing multi-factor authentication.
- Reconnaissance: Conducting detailed reconnaissance on business networks to identify the gift card business process and then pivoting to target employee accounts within that specific department.
- Credential Access: Attempting to obtain secure shell (SSH) passwords and keys, as well as credentials of employees in the gift card department.
- Fraudulent Gift Cards: Creating fraudulent gift cards using compromised employee accounts. In one case, when a corporation detected and prevented the creation of fraudulent gift cards, STORM-0539 shifted tactics to locate unredeemed gift cards and changed the associated email addresses to ones they controlled, allowing them to redeem the cards.
- Data Exfiltration: Exfiltrating employee data such as names, usernames, and phone numbers, which can be exploited for further attacks or sold for financial gain.
Mitigations
To counter these threats, the FBI recommends that organizations establish and maintain strong relationships with their local FBI Field Office. The FBI can assist companies in identifying vulnerabilities, mitigating malicious cyber activity, and pursuing justice against those responsible.
Organizations should also ensure that their incident response plans are up-to-date. The following strategies can help reduce the risk and impact of smishing and phishing campaigns:
- Implementing robust security awareness training programs for employees.
- Enforcing strict access controls and monitoring for suspicious activity.
- Regularly updating and patching systems to protect against known vulnerabilities.
- Utilizing multi-factor authentication and advanced threat detection tools.
- Conducting regular audits and reviews of security protocols and procedures.
By adopting these measures, organizations can better protect themselves against the growing threat posed by cybercriminal groups like STORM-0539.