节假日礼品卡欺诈的崛起威胁

Microsoft is warning of an uptick in malicious activity from an emerging threat cluster it's tracking as Storm-0539 for orchestrating gift card fraud and theft via highly sophisticated email and SMS phishing attacks against retail entities during the holiday shopping season.

微软警告称，它正在追踪一个名为Storm-0539的新威胁集群，该集群正在通过高度复杂的电子邮件和短信网络钓鱼攻击，对假日购物季的零售实体进行礼品卡欺诈和盗窃活动。

The goal of the attacks is to propagate booby-trapped links that direct victims to adversary-in-the-middle (AiTM) phishing pages that are capable of harvesting their credentials and session tokens.

攻击的目标是传播陷阱链接，将受害者引导到能够窃取其凭据和会话令牌的中间人网络钓鱼页面。

"After gaining access to an initial session and token, Storm-0539 registers their own device for subsequent secondary authentication prompts, bypassing MFA protections and persisting in the environment using the fully compromised identity," the tech giant said in a series of posts on X (formerly Twitter).

“在获得初始会话和令牌访问权限后，Storm-0539会为后续的二次身份验证提示注册他们自己的设备，绕过MFA保护，并且使用完全被入侵的身份在环境中持续存在，”这家科技巨头在其X（前身为Twitter）上的一系列帖子中称。

The foothold obtained in this manner further acts as a conduit for escalating privileges, moving laterally across the network, and accessing cloud resources in order to grab sensitive information, specifically going after gift card-related services to facilitate fraud.

通过这种方式获得的立足点进一步作为提升特权、在网络中横向移动和访问云资源的渠道，以获取敏感信息，特别是对礼品卡相关服务进行欺诈。

On top of that, Storm-0539 collects emails, contact lists, and network configurations for follow-on attacks against the same organizations, necessitating the need for robust credential hygiene practices.

此外，Storm-0539收集电子邮件、联系人列表和网络配置，以进行对同一组织的后续攻击，迫使需要强大的凭证卫生惯例。

Redmond, in its monthly Microsoft 365 Defender report published last month, described the adversary as a financially motivated group that has been active since at least 2021.

雷德蒙德在上个月发布的每月Microsoft 365 Defender报告中，将这个对手描述为一个至少自2021年以来一直活跃的追求金钱动机的团体。

"Storm-0539 carries out extensive reconnaissance of targeted organizations in order to craft convincing phishing lures and steal user credentials and tokens for initial access," it said.

“Storm-0539对目标组织进行了广泛的侦察，以制定令人信服的网络钓鱼诱饵，并窃取用户凭据和令牌以获取初始访问权限，”它说道。

"The actor is well-versed in cloud providers and leverages resources from the target organization's cloud services for post-compromise activities."

“这个行为者精通云供应商，并利用目标组织的云服务资源进行后牵制活动。”

The disclosure comes days after the company said it obtained a court order to seize the infrastructure of a Vietnamese cybercriminal group called Storm-1152 that sold access to approximately 750 million fraudulent Microsoft accounts as well as identity verification bypass tools for other technology platforms.

在该公司表示获得法院命令查封一家名为Storm-1152的越南网络犯罪组织基础设施，该组织售卖约7.5亿个欺骗性微软帐户以及其他技术平台的身份验证绕过工具几天后，披露了这一消息。

Earlier this week, Microsoft also warned that multiple threat actors are abusing OAuth applications to automate financially motivated cyber crimes, such as business email compromise (BEC), phishing, large-scale spamming campaigns, and deploy virtual machines to illicitly mine for cryptocurrencies.

本周早些时候，微软还警告称，多个威胁行动者正在滥用OAuth应用程序自动化进行以金钱为动机的网络犯罪活动，如商业电子邮件欺诈（BEC）、网络钓鱼、大规模的垃圾邮件活动，并部署虚拟机进行非法加密货币挖掘。

原文始发于微信公众号（知机安全）：节假日礼品卡欺诈的崛起威胁