- Atlas Lion used phishing to infiltrate gift card systems and impersonate authorized employees
- Attackers mapped infrastructure, prevented malware, and exploited internal workflows to steal gift cards.
- Gift cards are fast, untraceable, and sell easily; access lasted almost a year
A Moroccan hacking collective has been attacking companies that issue gift cards for years, infiltrating their systems, stealing the cards and likely reselling them on the black market for profit, new research claims.
Researchers at Palo Alto Networks Unit 42 dubbed the campaign “Jingle Thief” as it is most active during the holiday season.
According to the report, the group tracked as “Atlas Lion” or “Storm-0539”, would first carefully choose its target and try to learn as much as possible about it, before reaching out to its employees with convincing phishing lures. These honeypots would help them gain initial access, which they would then use to map the IT infrastructure, with a specific focus on SharePoint and OneDrive.
Why gift cards?
They would then look for gift card issuance workflows, ticketing system exports or instructions, VPN access and configuration guides, spreadsheets or internal tools used to issue or track gift cards, organizational virtual machines, Citrix environments, and more.
Instead of launching malware (which would likely raise some alarms), to gain an even better foothold on the victim, attackers would rely on internal phishing, targeting employees with fake IT service notifications, ticket updates, and more.
After identifying gift card issuance processes, they would pose as authorized users to request or approve gift card transactions, effectively stealing them.
Gift cards are popular with cybercriminals because they are fast, fungible, and difficult to trace. The value they provide is almost instantaneous and comes without the banking traces typically found with wire transfers.
Once redeemed, gift card funds are moved to accounts or spent, making both recovery and attribution quite difficult. At the same time, cybercriminals can easily resell and convert them on dark web markets.
Atlas Lion is playing the long game, Unit 42 concluded, saying that in the campaign it observed, they maintained access for almost a year and compromised more than 60 user accounts within a single global company.
Investigators did not say how much money was stolen this way.
Through Hacker News
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds. Be sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp also.
The best antivirus for all budgets
