- Atlas Lion used phishing to infiltrate gift card systems and impersonate authorized employees.
- Attackers mapped infrastructure, avoided malware, and exploited internal workflows to steal gift cards.
- Gift cards are fast, untraceable and easy to resell; access lasted almost a year
A Moroccan hacker collective has been targeting companies that issue gift cards for years, infiltrating their systems, stealing the cards and likely reselling them on the black market for profit, according to a new study.
Researchers at Palo Alto Networks’ Unit 42 have dubbed the campaign “Jingle Thief” because it is most active during the holiday season.
According to the report, the group tracked under the name “Atlas Lion” or “Storm-0539” would first carefully choose its target and try to learn as much as possible about them, before contacting its employees with convincing phishing lures. These lures would help them gain initial access, which they would then use to map the IT infrastructure, with a particular focus on SharePoint and OneDrive.
Why gift cards?
They would then search for gift card issuance workflows, ticketing system exports or instructions, VPN configuration and access guides, spreadsheets or internal tools used to issue or track gift cards, organizational virtual machines, Citrix environments, etc.
Instead of launching malware (which would likely raise a few alarms), to gain a better foothold on the victim, attackers would rely on internal phishing, targeting employees with fake IT service notifications, ticket updates, etc.
After identifying gift card issuance processes, they would impersonate authorized users to request or approve gift card transactions, thereby stealing them.
Gift cards are popular with cybercriminals because they are fast, fungible and difficult to trace. The value they provide is almost instantaneous and occurs without the bank traces usually found in wire transfers.
Once redeemed, gift card funds are transferred to accounts or spent, making recovery and attribution rather difficult. At the same time, cybercriminals can easily resell and convert them on dark web marketplaces.
Atlas Lion is playing the long game, Unit 42 concluded, saying that in the campaign it observed, they maintained access for nearly a year and compromised more than 60 user accounts within a single global company.
Researchers did not say how much money was stolen this way.
Via Hacker news
Follow TechRadar on Google News And add us as your favorite source to get our news, reviews and expert opinions in your feeds. Make sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp Also.
The best antivirus for every budget
