Security researchers are warning about a group of Moroccan hackers who invest heavily in reconnaissance, launch convincing social engineering attacks that evade security tools, infiltrate cloud environments, and maintain persistence to ultimately steal gift cards.
Gift cards are highly attractive to cybercriminals because they’re easy to monetize and difficult to track. Some crooks will go to great lengths to obtain them, especially during festive seasons.
Unit 42, a security arm of Palo Alto Networks, has investigated a campaign waged by a group operating out of Morocco. Motivated by financial gain, the gang is going after high-value gift‑card issuance applications.
“Their operations primarily target global enterprises in the retail and consumer services sectors,” the new report about cloud-based gift card fraud campaign reads.
This group's advanced tactics, persistence, and operational focus even resemble those of nation-state actors. The researchers dubbed the fraud campaign “Jingle Thief.”
All phishing and no malware lead to cloud compromise
These cybercriminals target almost exclusively cloud environments and rely on social engineering as their main method to get in and move laterally.
However, the techniques are sophisticated, and the hackers demonstrate a high degree of adaptability and operational patience, increasing the likelihood of compromise.
“In a campaign that we observed, threat actors maintained access for approximately 10 months and compromised over 60 user accounts within a single global enterprise,” the researchers noted.
The attacks start with typical phishing attempts: the gang will send emails or SMSes, luring victims to counterfeit Microsoft 365 login portals that mimic legitimate sign-in pages.
They impersonate non-profits, NGOs, and others to get credibility and increase victim engagement.
The attackers further obscure their origin by using compromised or hijacked WordPress servers to send emails.
It’s very difficult to recognize the links due to deceptive URL formatting. The URL starts like a common website address, e.g., “https://legitimateorganization[.]com.” However, the URL continues further with “@malicious.cl[/]workspace.”
“Browsers interpret everything before the ‘@’ as user credentials, and actually navigate to the domain after it (‘malicious.cl’). This tactic helps disguise the true destination of the link and increases the likelihood of victims clicking,” Unit 42 explains.
Once they steal credentials, the hackers authenticate to Microsoft 365 directly, navigate the environment, and start reconnaissance.
They will mine SharePoint, OneDrive, and other services for gift card intel. They look for gift card issuance workflows, ticketing system exports or instructions, VPN configs and access guides, spreadsheets or other internal tools used to issue or track gift cards, and even virtual machines and Citrix environments.
They don’t escalate privileges but build situational awareness. They don’t deploy malware but instead rely on internal phishing to expand their foothold.
“The attackers sent phishing emails from the legitimate account to personnel inside the same organization. These messages mimicked IT service notifications or ticketing updates,” the report reads.
They add inbox rules to automatically forward emails about gift cards to their inboxes, and actively remove their footprints by deleting leftover phishing emails.
“In some intrusions, the threat actors took control of identity infrastructure by misusing legitimate user self-service and device enrollment mechanisms in Microsoft Entra ID. These tactics allowed them to maintain access even after passwords were reset or sessions were revoked,” the researchers noted.
The hackers were observed registering rogue authentication apps to bypass MFA, resetting passwords, and enrolling their own devices in Entra ID.
“Unlike many actors who hide behind VPNs, these threat actors often made no attempt to obscure their origin.”
The hackers may lurk for months until they gain access to gift card issuance applications to generate high-value cards, which are likely resold on gray marketplaces.
“By compromising the right accounts, threat actors can issue and steal gift cards, while leaving almost no trace of their malicious operations,” the researchers conclude.
“Gift-card systems are often under‑monitored and widely accessible internally, making them an attractive extension to identity‑based attacks.”
The report also includes dozens of IP addresses detected in Morocco that the attackers used during their campaign.
Unlock more exclusive Cybernews content on YouTube.
Your email address will not be published. Required fields are markedmarked