Cyber Attackers Target Retail Gift Cards with Cloud-Only Tactics
▼ Summary
– Suspected Morocco-based attackers are targeting global retailers and businesses to issue unauthorized gift cards through a campaign called Jingle Thief.
– The attackers use phishing and smishing to steal account credentials, operating entirely in cloud environments without deploying malware.
– They access cloud services like Microsoft 365 to search for internal documents on gift-card workflows and attempt to compromise more employee accounts.
– To maintain persistence and avoid detection, they manipulate email folders, set up forwarding rules, and register rogue devices to bypass multi-factor authentication.
– Companies are advised to prioritize identity-based monitoring to detect unusual login patterns and identity misuse for early threat response.
A sophisticated cyber operation is currently targeting global retailers and businesses that issue gift cards, employing a strategy that completely bypasses traditional malware and endpoint attacks. This campaign operates exclusively within cloud environments, leveraging stolen credentials obtained through deceptive emails and text messages. Security researchers at Palo Alto Networks identified that once inside, attackers focus on acquiring the necessary permissions to generate and distribute unauthorized gift cards, all without deploying any malicious software on company devices.
Dubbed “Jingle Thief” because of its seasonal timing around holidays, the scheme begins with targeted phishing. Employees receive fraudulent emails or SMS messages that direct them to counterfeit login pages mimicking trusted platforms like Microsoft 365. After capturing user credentials, the attackers log directly into cloud services and begin exploring the digital workspace. Their objective is to locate internal documents detailing gift-card procedures, ticketing systems, VPN configurations, and virtual machine access, all critical for understanding how to issue cards illicitly.
Using the initially hijacked account, the threat actors send additional phishing messages disguised as IT service alerts to other staff members. These messages appear more credible because they originate from a known colleague, increasing the likelihood that recipients will disclose their login details. To conceal their activities, the attackers immediately move sent and received phishing emails from standard folders to the Deleted Items folder. They also establish inbox rules that forward messages to external accounts under their control, allowing them to monitor approvals, financial workflows, and support tickets related to gift cards.
For long-term access, the group employs several persistence techniques. They use self-service password reset functions when needed and quietly register additional devices in Entra ID, along with unauthorized authenticator applications. These steps allow them to bypass multi-factor authentication and maintain access even after passwords are changed or sessions are terminated.
According to analysts, the attackers’ varied methods, including credential harvesting, inbox manipulation, email forwarding, and rogue device enrollment, are all directed toward a single aim: acquiring and monetizing gift cards on a large scale. In observed incidents, repeated attempts were made to access multiple gift-card platforms, with efforts focused on issuing high-value cards. These could then be sold or used in money-laundering schemes, effectively converting digital theft into untraceable cash or short-term credit. By operating within legitimate cloud workflows, the group minimizes system logging and leaves few forensic traces, helping them remain undetected for extended periods.
Unit 42 attributes the campaign, with moderate confidence, to financially motivated actors based in Morocco. There is some overlap with a threat group publicly known as Atlas Lion. In response, Palo Alto Networks has released indicators of compromise and advises retail and consumer-service companies to enhance identity-focused security measures. Prioritizing identity-based monitoring, such as analyzing user behavior, login anomalies, and signs of credential misuse, is increasingly vital for early threat detection and rapid response.
(Source: HelpNet Security)
