- Atlas Lion used phishing to infiltrate gift card systems and impersonate authorized employees
- Attackers mapped infrastructure, avoided malware, and exploited internal workflows to steal gift cards
- Gift cards are fast, untraceable, and easily resold; access lasted nearly a year
A Moroccan hacking collective has been targeting companies issuing gift cards for years, infiltrating their systems, stealing the cards, and likely reselling them on the black market for profit, new research has claimed.
Researchers at Unit 42 from Palo Alto Networks dubbed the campaign “Jingle Thief”, since it’s most active during the festive season.
As per the report, the group tracked as “Atlas Lion”, or “Storm-0539”, would first carefully pick its target, and try to learn as much about it as possible, before reaching out to its employees with convincing phishing lures. These lures would help them gain initial access, which they would then use to map out the IT infrastructure, with a specific focus on SharePoint and OneDrive.
Why gift cards?
They would then look for gift card issuance workflows, ticketing system exports or instructions, VPN configuration and access guides, spreadsheets or internal tools used to issue or track gift cards, organizational virtual machines, Citrix environments, and more.
Instead of dropping malware (which would probably raise a few alarms), to gain an even better foothold on the victim, the attackers would rely on internal phishing, targeting employees with fake IT service notifications, ticketing updates, and more.
After identifying gift card issuance processes, they would impersonate authorized users to request or approve gift card transactions, effectively stealing them.
Gift cards are popular with cybercriminals because they’re fast, fungible, and hard to trace. The value they provide is almost instant, and comes without the banking traces usually found in wire transfers.
Once redeemed, the funds from gift cards move into accounts, or are spent, which makes both recovery, and attribution, rather difficult. At the same time, cybercrooks can easily resell and convert them on dark web marketplaces.
Atlas Lion is playing for the long run, Unit 42 concluded, saying that in the campaign it observed, they maintained access for almost a year, and compromised more than 60 user accounts within a single global enterprise.
The researchers didn’t say how much money was stolen this way.
Via The Hacker News
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.
The best antivirus for all budgets
