- Atlas Lion used phishing to infiltrate gift card systems and impersonate authorized employees
- The attackers mapped the infrastructure, avoided malware, and exploited internal workflows to steal gift cards.
- Gift cards are fast, untraceable, and easy to resell; access lasted almost a year
A Moroccan hacking collective has been targeting gift card companies for years, infiltrating their systems, stealing the cards and likely reselling them on the black market for profit, a new study finds.
Unit 42 researchers at Palo Alto Networks named the campaign “Jingle Thief” because it is most active during the holiday season.
According to the report, the group, tracked as “Atlas Lion” or “Storm-0539”, will first carefully select its target and try to learn as much about it as possible before approaching its employees with convincing phishing lures. These honeypots will help them gain initial access, which they can then use to plan their IT infrastructure, with a particular focus on SharePoint and OneDrive.
Why gift cards?
They will then look for workflows for issuing gift cards, exporting a ticketing system, or instructions. VPN setup and access guides, spreadsheets, or internal tools used to issue or track gift cards, organization virtual machines, Citrix environments, and more.
Instead of throwing malware (which is likely to raise alarm bells), to further gain a foothold on the victim, attackers will rely on internal phishing, targeting employees with fake IT service notifications, ticket updates, etc.
Once gift card issuance processes were identified, they posed as authorized users to request or approve gift card transactions, essentially stealing them.
Gift cards are popular among cybercriminals because they are fast, fungible and difficult to track. The amount they provide is almost instantaneous and does not have the bank traces typically found with bank transfers.
Once redeemed, gift card funds are transferred to accounts or spent, making both recovery and attribution difficult. At the same time, cybercriminals can easily resell and convert them on darknet trading platforms.
Atlas Lion is playing for the long term, Unit 42 concluded, saying that in the campaign they observed, they maintained access for nearly a year and compromised more than 60 user accounts within one global enterprise.
The researchers did not say how much money was stolen in this way.
By using Hacker news
Follow TechRadar on Google News. And add us as your preferred source to get our expert news, reviews and opinions in your feeds. Be sure to click the “Subscribe” button!
And of course you can also Follow TechRadar on TikTok for news, reviews, unboxing videos and get regular updates from us on whatsapp too much.
The best antivirus for any budget
