A sophisticated cybercriminal group known as "Jingle Thief" is orchestrating a large-scale gift card fraud campaign, exploiting cloud infrastructure to steal millions. The attackers target retail and consumer services organizations, using phishing and smishing tactics to gain access to cloud environments and issue unauthorized gift cards for resale on the black market. This operation, active since at least late 2021, highlights the growing threat of identity-based attacks in cloud environments.

Key Takeaways

• Jingle Thief" hackers target cloud environments of retail and consumer services companies.

• Phishing and smishing are used to steal credentials and gain access.

• The group issues unauthorized gift cards, reselling them for monetary gain.

• Attackers maintain long-term persistence, sometimes over a year, within compromised systems.

• The campaign is financially motivated and believed to originate from Morocco.

The "Jingle Thief" Modus Operandi

The "Jingle Thief" group, tracked by Palo Alto Networks Unit 42 as CL-CRI-1032, employs a multi-stage attack strategy. It begins with highly targeted phishing and smishing campaigns designed to steal Microsoft 365 credentials. Once access is gained, the attackers conduct extensive reconnaissance within the victim's cloud environment, focusing on SharePoint and OneDrive to locate gift card issuance workflows and related documentation.

Exploiting Cloud Services for Fraud

Instead of deploying traditional malware, "Jingle Thief" leverages compromised cloud accounts to impersonate legitimate users. They gain unauthorized access to sensitive data and systems, specifically targeting gift card issuance applications. The attackers aim to issue high-value gift cards across various programs, minimizing logs and forensic traces to evade detection. Their operations often coincide with festive seasons, capitalizing on increased gift card spending.

Persistence and Evasion Tactics

A key characteristic of this group is their ability to maintain a persistent foothold within compromised organizations for extended periods, sometimes exceeding a year. They achieve this through various methods, including creating inbox rules to forward sensitive emails to their control and even registering rogue authenticator apps or devices in Entra ID to bypass multi-factor authentication and maintain access even after password resets.

Attribution and Impact

With moderate confidence, researchers attribute this activity to financially motivated groups originating from Morocco, potentially linked to known threat actors like Atlas Lion and Storm-0539. The "Jingle Thief" campaign underscores the evolving threat landscape, where attackers increasingly operate entirely within cloud environments, abusing legitimate services for illicit gain. The ease of redemption and difficulty in tracing make gift cards a lucrative target for these cybercriminals.

Sources

• "Jingle Thief" Hackers Exploit Cloud Infrastructure to Steal Millions in Gift Cards, The Hacker News.

• Jingle Thief: Inside a Cloud-Based Gift Card Fraud Campaign, Unit 42.