23.10.2025
2 min
505
Researchers from Palo Alto Networks have exposed a group of Moroccan hackers who used a combination of sophisticated techniques, from social engineering to cloud compromise, to steal gift cards from global companies. The hacking group, which the researchers dubbed Jingle Thief, targeted large retail and service companies. The goal was to gain access to internal systems where gift cards are issued or tracked, and then create or steal them for resale.
According to Unit 42, the group was remarkably patient: in some cases, the attackers remained in the system for up to 10 months, gradually compromising more than 60 accounts at a single company.
The hackers used social engineering rather than malware — victims received emails or SMS messages with fake links to Microsoft 365 that looked plausible because the URLs were formatted with an “@” symbol, which hid the real domain. After obtaining the credentials, the attackers conducted reconnaissance in cloud services — OneDrive, SharePoint, Citrix — without elevation of privilege, looking for documents related to the card issuance process. They did not install viruses, but sent internal phishing emails from legitimate accounts, adding mail forwarding rules to collect sensitive messages.
The attacks lasted for at least ten months. The group masqueraded as IT, sending “ticket updates” or “support messages” to avoid suspicion. Researchers found IP addresses registered in Morocco, as well as abuse of legitimate Microsoft Entra ID mechanisms — including device self-registration and bypassing multi-factor authentication (MFA).
The group did not hide its origin through VPNs, which made it even more difficult to detect using standard methods.
The Jingle Thief campaign demonstrates that even small groups of cybercriminals can operate like state-sponsored APT groups, combining social engineering, patience, and knowledge of corporate ecosystems. Gift cards—though seemingly insignificant—have become a lucrative target that companies should monitor as much as banking transactions.
