Cybercriminal threat actors often specialize in areas, refining their techniques for specific types of fraud such as stealing payment card data, executing tax refund fraud, running reshipping schemes and more. Since 2021, a threat actor group called ATLAS LION aka THIRSTY CAMELS, STORM-0539 has developed effective methods for targeting gift card issuing systems. This group has mounted gift card theft campaigns against a variety of top-tier brands, including large online retailers, insurance companies, telecommunications operators and more.
To gain access to enterprise systems, ATLAS LION uses phishing over email and short message system (SMS), known as “smishing,” to trick employees of targeted organizations into divulging their access credentials. It uses an array of effective phishing tactics. The campaigns typically employ adversary-in-the-middle (AITM) phishing pages, which enable ATLAS LION to steal credentials and session tokens. AITM phishing pages are structured with a front-end phishing page that is sent to potential victims. Then, when someone enters credentials, those credentials are proxied to the legitimate service. When the legitimate service accepts the credentials and returns a session cookie, that is collected by the proxy and funneled to the attackers. This powerful attack not only allows attackers to gain credentials, but possession of the session cookie allows for the circumvention of multifactor authentication (MFA).
ATLAS LION has also developed a deep understanding of cloud infrastructure and identity providers and their systems. The actors operate using free trials and pay-as-you-go subscriptions for cloud services. Sometimes, ATLAS LION actors masquerade as legitimate nonprofit organizations to secure sponsorships from a variety of cloud providers. They also leverage compromised cloud infrastructure. Additionally, they conduct extensive reconnaissance of the federated identity service providers at targeted companies to effectively replicate the user sign-in experience. Those AITM pages often spoof Okta, the identity provider used widely across the technology industry, with domains that closely mimic those of legitimate services.
After gaining access to an initial session and a session token, ATLAS LION will register one of its own devices for subsequent secondary authentication prompts. This effectively bypasses MFA protections and allows them to maintain a presence within an organization’s compromised cloud environment. Once the group infiltrates an employee's account, the attackers move laterally through the network and seek other accounts linked to the gift card business process. The actors then use these compromised employee accounts to further steal secure shell (SSH) passwords, keys and employee information. Eventually, the actors find the issuing systems and then fraudulently generate gift cards.
Gift cards are an appealing fraud target as little personally identifiable information (PII) is needed for redemption, and it’s a fluid transfer of value that lies outside banking systems. The cards can be readily resold at discounted rates to other threat actors on cybercriminal forums or marketplaces. This group has attracted the attention of other researchers, including Microsoft, which published a report on ATLAS LION in May 2024. In this blog post, we will add to the public knowledge of the group by describing some of the recent phishing campaigns created by ATLAS LION. Some of the details of the campaigns have been described in general terms so as to not reveal how our analysts track new campaigns. For the full, unredacted report, please contact Intel 471.
Phishing Kits
Analysis of early ATLAS LION-associated phishing pages revealed several items of interest. The kits contained elements in French, and often compromised accounts were accessed with IP addresses located in Morocco. Intercepted login data was exfiltrated in real time. From Feb. 22, 2023, to June 6, 2024, we identified 222 phishing sites possibly linked to the activity of actors within the ATLAS LION cluster. Our comprehensive analysis of these sites enabled the discovery of additional webpages using the same phishing kits. These kits were designed to harvest usernames, passwords and MFA tokens, which the threat actors then used to access virtual desktop infrastructure (VDI). While most of the kits extracted resources directly from Okta’s website, we also observed the threat actors experiment with a variety of other kits, including Gophish. Gophish is an open source framework designed for testing an organization’s vulnerability to phishing. We identified nine different themes in the phishing kits ATLAS LION potentially used. Those included four Okta kits used across 86 domains, a Microsoft-themed kit used across 22 domains, a Gophish kit used across nine domains, a Salesforce-themed kit deployed on 12 domains and one kit that used Telegram across 14 domains.
We observed all phishing kits were used at various times throughout the year. Occasionally, kits that employed as many as seven different themes were used within a single week. This pattern diverges significantly from that observed in the phishing pages The Com intrusion cluster has used. The Com is a large group of English-speaking threat actors referred to by several names, including Scattered Spider, 0ktapus, Roasted 0ktapus, Octo Tempest, Storm-0875 and UNC3944. The Com-related threat actors have in some cases used the same phishing kit for extended periods ranging from weeks to months. In contrast, ATLAS LION frequently switched between different phishing kits as illustrated by changing unique identifiers, domain name patterns, URL paths and infrastructure reuse.
Infrastructure
Since September 2023, we observed the continued use of the SERVERCENTRAL (ASN23352), DIALHOST (ASN262448) and ZAM LTDA (ASN42368) hosting providers by ATLAS LION. For domain registration, threat actors frequently used PDR Ltd. dba PublicDomainRegistry.com, NameCheap Inc. and GoDaddy.
Actors within the ATLAS LION cluster reuse infrastructure and deploy multiple kits from the same IP address or compromised domain. For example, we observed the same IP address 204[.]93[.]224[.]37 affiliated with five different domains, four of which were detected the same day. Each compromised website had a top-level domain (TLD) from Peru. Among the four domains, three different kits were identified and each targeted a different victim organization. One of the compromised websites later was associated with another ATLAS LION kit three months afterward — once again using a different kit and targeting another organization. In another example, we identified three potential ATLAS LION deployments on the compromised domain aighanim[.]com. Each detection targeted a different company using a different kit within the same week. However, ATLAS LION campaigns have been observed reusing infrastructure months after the initial deployment of a kit. This suggests blocking all ATLAS LION domains — even those currently targeting different companies — is likely an effective mitigation strategy.
Naming Convention
While ATLAS LION actors sometimes registered their own domains, they primarily conducted cPanel takeovers of existing domains. cPanel is website administration software. Threat actors may be able to take over sites if the credentials for cPanel have been compromised. When researching potential ATLAS LION domains, we encountered cPanel login pages in several cases, which likely indicates the URL was scanned while the threat actors still were deploying the phishing kit. Many threat actors use cPanel's File Manager to upload compressed archive (.zip) files that contain phishing kits during setup. Additionally, ATLAS LION actors frequently have been observed registering long, fully qualified domain names (FQDNs)
that incorporate keywords related to their targets — such as Okta, ServiceNow, SharePoint or Workday — ahead of the compromised domain. The group recently deployed kits with URLs that followed a general format such as victim.servicenow.domain, victim.okta.domain or a combination of the two such as victim.okta.servicenow.domain. “ServiceNow” was the most commonly used subdomain string and appeared in a variety of forms including “servicenow,” “service-now” and “services-now.” We often observed ATLAS LION domains feature a URL folder structure ending in “index.html.” More than half of all domains we studied included “index.html” at the end of the folder structure and frequently were preceded by “saml2,” “Udlaps,” “ServiceNow,” “oauth2.6” or “okta.”
Victimology
Analysis of ATLAS LION domains revealed a strong preference for targeting entities in the consumer and industrial products sector, which account for more than half of all impersonated organizations. This focus aligns closely with ATLAS LION’s primary targeting of the retail and gift card industries. However, it is important to note the group also targeted companies in other sectors, including professional consulting and financial services.
Assessment
The ATLAS LION intrusion cluster features skilled actors who have been successfully conducting gift card fraud since at least 2021. Actors within the cluster likely target gift cards because the cards require little PII for redemption and can readily be resold at discounted rates to other threat actors on cybercriminal forums or marketplaces. The group’s operational strategy is marked by frequent changes in phishing kits and reusing infrastructure. This approach creates a dichotomy where dynamism in phishing tactics enhances evasion capabilities but certain forensic clues remain, allowing for defensive measures.
Given the increased scrutiny from the cyber threat intelligence (CTI) community — particularly after Microsoft’s detailed exposé in May 2024 — ATLAS LION actors likely will adjust their tactics, techniques and procedures (TTPs). In 2024, the ATLAS LION cluster began to register its own signature domains, possibly to obscure its typical URL patterns. Despite potential operational changes, the ATLAS LION cluster is expected to continue targeting the retail sector, perpetuating gift card fraud on a significant scale. In light of these developments, maintaining vigilance and staying updated on changes in the threat landscape are crucial to effectively safeguard against these evolving cyber threats.
Recommendations
Phishing is one of the most common attack vectors cybercriminals use. Common mitigation strategies organizations can implement according to the MITRE Detection, Denial and Disruption Framework Empowering Network Defense (D3FEND) knowledge graph of cybersecurity measures include:
Harden
U2F: Universal 2nd Factor (U2F) authentication involves a physical hardware key that interacts directly with the website. If the domain displayed in the browser's address bar does not match the domain expected for the connection, the communication will be interrupted. This security measure ensures the authentication process can only proceed with the correct, designated domain.
FIDO2: Use Fast Identity Online 2 (FIDO2) authentication, which includes Web Authentication (WebAuthn) and the Client to Authenticator Protocol (CTAP) standards, enabling password-free login or two-factor authentication (2FA). These physical security devices can verify user identity using biometric data, which enhances security significantly. FIDO2 keys ensure authentication only is performed on legitimate websites, providing strong protection against phishing.
MFA: Though ATLAS LION actors are effective at circumventing MFA using AITM techniques, it still provides a useful layer of security that can delay an actor gaining access to a network.
Least privilege access: Apply strict access controls across all technology stacks to ensure users have only the permissions necessary to perform their tasks, minimizing potential breach impacts.
Conditional access policies: Implement conditional access policies that evaluate authentication requests based on identity-driven signals such as IP address location and device status.
Detect
URL analysis: Scrutinize URLs to ensure they are legitimate and if uncertain pass them to the security team for further analysis.
User behavior analysis: Establish a baseline of normal user behavior to detect anomalies. Monitoring for irregular activities can help identify potential security breaches early.
Monitor logs for suspicious activity: Continuously monitor system logs for suspicious logins and other indicators of initial access attempts that exploit cloud identity.
Prevent
Employee awareness training: Conduct regular training sessions for employees to recognize and respond to smishing and phishing scams. Teach them how these scams operate, how to identify phishing texts or emails and how to report them.
Teach identification of AITM phishing pages: Train employees on how to identify AITM phishing pages used to capture credentials and secondary authentication tokens, focusing on URL and website content scrutiny.
MITRE ATT&CK techniques
This report uses the MITRE Adversarial Tactics, Techniques and Common Knowledge (ATT&CK) framework.
Technique Title | ID | Use |
Resource Development [TA0042] | ||
Acquire Infrastructure: Domains | T1583.001 | The ATLAS LION intrusion cluster creates and uses domains that mimic legitimate services for its AITM phishing pages, employing typosquatting and compromising legitimate WordPress domains to craft AITM landing pages.[3] Our researchers identified 222 unique phishing domains created from Feb. 22, 2023, to May 30, 2024, that hosted phishing pages likely linked to the ATLAS LION intrusion cluster. |
Acquire Infrastructure: Virtual Private Server | T1583.003 | Adversaries likely rented virtual private servers (VPSs) to host their phishing infrastructure. |
Obtain Capabilities: Tool | T1588.002 | Adversaries used multiple phishing kits to effectively replicate sign-in experiences of targeted organizations, facilitating MFA protection bypass through AITM pages. |
|
|
|
Initial Access [TA0001] | ||
Phishing | T1566 | Adversaries primarily employed smishing to compromise retail organization employees and specifically targeted those linked to gift cards processes.
|
|
|
|
Discovery [TA0007] | ||
Account Discovery | T1087 | Adversaries conducted deep reconnaissance on gift card issuance processes, portals and employees with access to these systems and exploited the cloud-based environment.[3] |
|
|
|
Lateral Movement [TA0008] | ||
Remote Services: SSH | T1021.004 | After initial access, adversaries moved laterally using stolen SSH keys and passwords to further infiltrate and control the network, especially focusing on gift card systems.[3] |