A newly uncovered attack campaign mounted by suspected Morocco-based attackers has been hitting global retailers and other businesses issuing gift cards.
What makes this campaign stand out is how the threat actors avoid typical malware techniques and endpoint hacking and operate entirely in cloud environments.
The attackers rely on phishing and smishing to harvest account credentials, then use trusted cloud services instead of deploying malware. “Once they gain access to an organization, they pursue the type and level of access needed to issue unauthorized gift cards,” Palo Alto Networks researchers pointed out.
The campaign
The campaign, which the researchers dubbed Jingle Thief due to the attackers’ focus on conducting gift card fraud during festive seasons, starts with phishing.
Employees at targeted companies receive spear-phishing emails or SMS messages that lead them to fake (but convincing) login portals that mimic legitimate services such as Microsoft 365.
The attack chain (Source: Palo Alto Networks’ Unit 42)
“After harvesting credentials in the campaign that we observed, the attackers authenticated to Microsoft 365 directly and began navigating the environment, with no malware required,” the researchers shared.
They search file-shares, OneDrive and SharePoint for internal documents about gift-card issuance workflows, ticketing systems and internal processes, as well as for the organizations’ VPN configuration and access guides and their virtual machines.
They also try to gain access to other employees’ accounts, by using the initially compromised account to send out phishing emails that are more likely to be trusted and go undetected by security solutions.
The emails mimic IT service notifications and trick other employees into handing over credentials.
To hide their actions from both users and defenders, they move the sent phishing emails immediately from Sent Items to Deleted Items, and move replies from users from Inbox to Deleted Items.
They also set up inbox rules that forward emails to email accounts they control, so they can monitor for changes in gift card approvals, financial workflows, and IT ticketing.
Finally, to assure persistence beyond password resets and session revocations, they use self-service flows to reset passwords (when needed) and they silently register additional devices in Entra ID and rogue authenticator apps so they can bypass multi-factor authentication requirements. 
Prioritize identity-based monitoring
“The ultimate goal of these varied tactics – phishing, inbox control, mail exfiltration and rogue device registration – is to obtain and monetize gift cards at scale,” the researchers believe.
“In the campaign we observed, the attackers made repeated access attempts against multiple gift‑card issuance applications. They tried to issue high‑value cards across different programs in order to monetize them, and possibly to use the cards as collateral in money-laundering schemes – effectively turning digital theft into untraceable cash or short-term loans. These operations were staged in a way that minimizes logging and forensic traces, reducing the chance of rapid detection.”
All in all, their entire modus operandi is aimed at keeping their presence and activity undetected for a considerable amount of time. Untimately, they also leave very little forensic trace because they stay within legitimate cloud workflows.
Unit 42 attributes the activity, with moderate confidence, to financially motivated actors based in Morocco. They believe that their activity partly overlaps with threat actors publicly tracked as Atlas Lion.
Palo Alto Networks has released indicators of compromise related to this campaign, and the researchers have advised companies in the retail and consumer-services sector to prioritize identity-based monitoring.
“Understanding user behavior, login patterns and identity misuse are increasingly essential for early detection and response,” they concluded.
Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!
