Cybersecurity researchers have uncovered a cybercrime group called Jingle Thief that has been observed targeting cloud environments associated with organizations in the retail and consumer services sectors for gift card fraud.
“Jingle Thief attackers are using phishing and smishing to steal credentials and compromise organizations that issue gift cards,” Palo Alto Networks Unit 42 researchers Stav Setty and Shachar Roitman said in an analysis Wednesday. “Once we gain access to an organization, we pursue the type and level of access necessary to issue fraudulent gift cards.”
The ultimate goal of these efforts is to leverage the issued gift cards for financial gain, likely reselling them on the gray market. Gift cards are an advantageous option because they can be easily redeemed with minimal personal information and are difficult to track, making it difficult for defenders to investigate fraud.
The name Jingle Thief is reminiscent of this threat actor’s pattern of gift card fraud around the festive and holiday seasons. Cybersecurity firms are tracking this activity under the name CL-CRI-1032. “CL” stands for cluster and “CRI” refers to crime motive.
This threat cluster is believed with moderate confidence to be the work of criminal groups tracked as Atlas Lion and Storm-0539, which Microsoft describes as a financially motivated group from Morocco. It is believed to have been active since at least the second half of 2021.
Jingle Thief’s ability to maintain a foothold within compromised organizations for long periods of time, in some cases for over a year, makes them a dangerous group. While manipulating the environment, threat actors perform extensive reconnaissance to map the cloud environment, move laterally within the cloud, and take steps to evade detection.
Unit 42 said it observed the hacker group launch a series of coordinated attacks targeting various global companies between April and May 2025, using phishing attacks to obtain the credentials needed to penetrate victims’ cloud infrastructure. In one campaign, the attackers allegedly maintained access for approximately 10 months and compromised 60 user accounts within a single organization.
“They exploit cloud-based infrastructure to impersonate legitimate users, gain unauthorized access to sensitive data, and conduct gift card fraud at scale,” the researchers noted.
This attack often involves attempting to access gift card issuing applications to issue high-value cards across a variety of programs, while ensuring that these actions leave minimal log and forensic traces.
Jingle Thief phishing attack chain across Microsoft 365
It is also highly targeted and customized to each victim, allowing attackers to perform reconnaissance before sending a convincing phishing login page via email or SMS to trick victims into entering their Microsoft 365 credentials.
As soon as the credentials are collected, the attacker wastes no time logging into the environment and performing a second reconnaissance. This time, it targets the victim’s SharePoint and OneDrive to obtain information related to business operations, financial processes, and IT workflows.
This includes finding gift card issuance workflows, VPN configuration and access guides, spreadsheets or internal systems used to issue or track gift cards, and other important details related to virtual machines and Citrix environments.
The next step was to use the compromised accounts to send phishing emails within the organization, allowing attackers to gain more foothold. These messages often leverage information gleaned from internal documents and previous communications to mimic IT service notifications and related ticketing updates.
Additionally, Jingle Thief has been known to create inbox rules that automatically forward emails from hacked accounts to addresses under its control, and to cover up traces of its activity by immediately moving sent emails to Deleted Items.
In some cases, attackers have also been observed registering rogue authenticator apps to bypass multi-factor authentication (MFA) protections or registering devices with Entra ID to maintain access even after a victim’s password is reset or session token is revoked.
In addition to focusing on cloud services rather than endpoint compromise, another notable aspect of Jingle Thief’s campaigns is their propensity for identity abuse rather than custom malware deployment, thereby minimizing the likelihood of detection.
“Gift card fraud combines stealth, speed, and scalability, especially when combined with access to the cloud environment where the issuance workflow resides,” Unit 42 said. “This cautious approach can help evade detection while laying the foundation for future fraud.”
“To exploit these systems, attackers need access to internal documents and communications. They can protect this by stealing credentials and quietly maintaining a persistent presence within the target organization’s Microsoft 365 environment that provides gift card services.”
Source link
