Cybersecurity researchers have make clear a cybercriminal group referred to as Jingle Thief that has been noticed focusing on cloud environments related to organizations within the retail and client companies sectors for present card fraud.
“Jingle Thief attackers use phishing and smishing to steal credentials, to compromise organizations that problem present playing cards,” Palo Alto Networks Unit 42 researchers Stav Setty and Shachar Roitman mentioned in a Wednesday evaluation. “As soon as they acquire entry to a corporation, they pursue the kind and degree of entry wanted to problem unauthorized present playing cards.”
The tip aim of those efforts is to leverage the issued present playing cards for financial acquire by seemingly reselling them on grey markets. Reward playing cards make for a profitable alternative as they are often simply redeemed with minimal private data and are troublesome to hint, making it tougher for defenders to research the fraud.
The title Jingle Thief is a nod to the menace actor’s sample of conducting present card fraud coinciding with festive seasons and vacation durations. The cybersecurity firm is monitoring the exercise beneath the moniker CL‑CRI‑1032, the place “CL” stands for cluster and “CRI” refers to prison motivation.
The menace cluster has been attributed with average confidence to prison teams tracked as Atlas Lion and Storm-0539, with Microsoft describing it as a financially motivated crew originating from Morocco. It is believed to be lively since at the least late 2021.
Jingle Thief’s means to take care of footholds inside compromised organizations for prolonged durations, in some circumstances for over a 12 months, makes it a harmful group. In the course of the time it spends with the environments, the menace actor conducts intensive reconnaissance to map the cloud setting, strikes laterally throughout the cloud, and takes steps to sidestep detection.
Unit 42 mentioned it noticed the hacking group launching a wave of coordinated assaults focusing on numerous international enterprises in April and Could 2025, utilizing phishing assaults to acquire credentials essential to breach victims’ cloud infrastructure. In a single marketing campaign, the attackers are mentioned to have maintained entry for about 10 months and damaged into 60 person accounts inside a single group.
“They exploit cloud-based infrastructure to impersonate respectable customers, acquire unauthorized entry to delicate knowledge, and perform present card fraud at scale,” the researchers famous.
The assaults usually contain makes an attempt to entry present‑card issuance purposes to problem excessive‑worth playing cards throughout completely different applications, whereas concurrently guaranteeing these actions go away minimal logs and forensic trails.
 |
| Jingle Thief phishing assault chain throughout Microsoft 365 |
They’re additionally extremely focused and tailor-made to every sufferer, with the menace actors finishing up reconnaissance earlier than sending persuasive phishing login pages by way of e mail or SMS that may idiot victims and trick them into coming into their Microsoft 365 credentials.
As quickly because the credentials are harvested, the attackers waste no time logging into the setting and perform a second spherical of reconnaissance, this time focusing on the sufferer’s SharePoint and OneDrive for data associated to enterprise operations, monetary processes, and IT workflows.
This consists of looking for present card issuance workflows, VPN configurations and entry guides, spreadsheets or inner methods used to problem or monitor present playing cards, and different key particulars associated to digital machines and Citrix environments.
Within the subsequent part, the menace actors have been discovered to leverage the compromised account to ship phishing emails internally throughout the group to broaden their foothold. These messages usually mimic IT service notifications associated to IT service notifications or ticketing updates by making use of knowledge gleaned from inner documentation or earlier communications.
Moreover, Jingle Thief is understood to create inbox guidelines to routinely ahead emails from hacked accounts to addresses beneath their management, after which cowl up traces of the exercise by transferring the despatched emails instantly to Deleted Objects.
In some circumstances, the menace actor has additionally been noticed registering rogue authenticator apps to bypass multi-factor authentication (MFA) protections and even enrolling their units in Entra ID in order to take care of entry even after victims’ passwords are reset or the session tokens are revoked.
In addition to their unique deal with cloud companies reasonably than endpoint compromise, one other facet that makes Jingle Thief’s campaigns noteworthy is their propensity for identification misuse over deploying customized malware, thereby minimizing the probabilities of detection.
“Reward card fraud combines stealth, velocity and scalability, particularly when paired with entry to cloud environments the place issuance workflows reside,” Unit 42 mentioned. “This discreet strategy helps evade detection whereas laying the groundwork for future fraud.”
“To take advantage of these methods, the menace actors want entry to inner documentation and communications. They’ll safe this by stealing credentials and sustaining a quiet, persistent presence inside Microsoft 365 environments of focused organizations that present present card companies.”
