With the holiday season well underway, a threat group with a history of gift card scams is ramping up its efforts, according to Microsoft.

The vendor’s Threat Intelligence unit wrote in a posting on X (formerly Twitter) that it has seen a “significant surge in activity associated with the threat actor Storm-0539, known to target retail organizations for gift card fraud and theft using highly sophisticated email and SMS phishing during the holiday shopping season.”

The group has been around since at least late 2021, with Microsoft noting last month that Storm-0539 is a financially motivated group that typically targets retailers for such gift card schemes.

“Storm-0539 carries out extensive reconnaissance of targeted organizations in order to craft convincing phishing lures and steal user credentials and tokens for initial access,” the IT giant wrote in a profile. “The actor is well-versed in cloud providers and leverages resources from the target organization’s cloud services for post-compromise activities.”

In the latest phishing campaigns, Microsoft researchers wrote that the bad actors use URLs that, if clicked on by the target, lead to adversary-in-the-middle (AiTM) pages through which they steal credentials and session tokens.

Bypassing MFA Protections

With those in hand, Storm-0539 attackers can register their own devices that will receive secondary authentication prompts, allowing them to bypass multifactor authentication (MFA) protections and gaining persistence in the victim’s environment by using the fully compromised identity, the researchers wrote.

“With each successful compromise, Storm-0539 escalates privileges, moves laterally, and accesses cloud resources to collect specific information,” they wrote. “Storm-0539 enumerates internal resources and identifies gift card-related services that can be used for gift card fraud.”

Along with the gift card scams, the threat group also access other information, from email and contact lists to network configurations, which can be used in later attacks against the same organizations.

In a response to the information from Microsoft, Guardian Digital, cybersecurity firm Guardian Digital wrote that it’s critical for retail organizations to remain vigilant during the holiday season, adding that “email is the source of more than 90% of all cyber attacks. Microsoft is great at email, but still needs help with email security.”

Growing Threat During the Holidays

Gift card scams have long been a threat to retailers and consumers. The U.S. Federal Trade Commission (FTC) earlier this year warned consumers about such schemes and gave tips for avoiding and reporting them.

The agency wrote that “only scammers will tell you to buy a gift card, like a Google Play or Apple Card, and give them the numbers off the back of the card. No matter what they say, that’s a scam. No real business or government agency will ever tell you to buy a gift card to pay them.”

The FTC added that “gift card scams start with a call, text, email, or social media message. Scammers will say almost anything to get you to buy gift cards – like Google Play, Apple, or Amazon cards – and hand over the card number and PIN codes.”

There are a number of different stories that bad actors will tell potential victims, including saying they’re from a government agency like the IRS or Social Security Administration, or from tech support from a company like Apple or Microsoft saying there’s a problem with the victim’s computer, the agency wrote.

They also may say they’re a family member or friend in an emergency, that the victim has won a prize, or that they’re from a utilities company. In addition, they ask the victim for money after chatting on a dating website.

“Romance scammers will make up any story to trick you into buying a gift card to send them money,” the FTC wrote. “Slow down. Never send money or gifts to anyone you haven’t met in person — even if they send you money first.”

Beware ‘Card Draining’

This year, there also have been reports in the United States and elsewhere about “card draining” scams. Threat actors will record information like the card and associated pin numbers of gift cards that have not yet been bought.

“Once those cards are then purchased by an unsuspecting consumer, the scammer immediately uses the numbers to make purchases, leaving the buyer with a worthless gift card,” according to the Pennsylvania Attorney General’s Office, noting that the card draining scheme has been used more than 100 times at a grocery store in the eastern part of the state.

In addition, scammers also may take gift cards off the shelves and take them somewhere else, putting decoy items in their place, according to USA Today. After getting the information from the gift cards, they put the cards they tampered with back on the shelves and wait for people to buy them.