- Atlas Lion used phishing to infiltrate gift card systems and impersonate authorized employees
- Attackers mapped infrastructure, evaded malware and exploited internal workflows to steal gift cards
- Gift cards are fast, untraceable and easy to sell; access lasted almost a year
A Moroccan hacking collective has been targeting companies that issue gift cards for years, infiltrating their systems, stealing the cards and likely reselling them on the black market for profit, new research has claimed.
Researchers at Unit 42 of Palo Alto Networks dubbed the campaign “Jingle Thief” as it is most active during the Christmas season.
According to the report, the group, which was tracked as “Atlas Lion” or “Storm-0539”, would first carefully select its target and try to learn as much as possible about it before reaching out to its employees with convincing phishing lures. These lures would help them gain initial access, which they would then use to map the IT infrastructure with a specific focus on SharePoint and OneDrive.
Why gift cards?
They would then look for gift card issuance workflows, ticketing system exports or instructions, VPN configuration and access guides, spreadsheets or internal tools used to issue or track gift cards, organizational virtual machines, Citrix environments, and more.
Instead of dropping malware (which would probably raise a few alarms) to get an even better foothold on the victim, the attackers would rely on internal phishing, targeting employees with fake IT service notifications, ticket updates and more.
After identifying gift card issuance processes, they would impersonate authorized users to request or authorize gift card transactions and in effect steal them.
Gift cards are popular with cybercriminals because they are fast, fungible and difficult to trace. The value they provide is almost immediate and comes without the banking traces normally found in wire transfers.
Once redeemed, the funds from gift cards are moved into accounts or spent, making both recovery and attribution rather difficult. At the same time, cyber crooks can easily resell and convert them on dark web marketplaces.
Atlas Lion is playing for the long term, Unit 42 concluded, saying that in the campaign it observed, they maintained access for nearly a year and compromised more than 60 user accounts within a single global enterprise.
The researchers did not say how much money was stolen in this way.
Via Hacker News
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds. Be sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, video unboxings, and get regular updates from us on WhatsApp also.
The best antivirus for all budgets
