Jingle Thief: Unmasking Retail Cyber Threats

A large-scale gift card fraud campaign run by a Morocco-based cybercrime group offers an early look at the kinds of threats retailers may face as they head into this year’s busy holiday season.

Dubbed “Jingle Thief,” the operation primarily targets global retailers and consumer services organizations that rely heavily on cloud-based infrastructure. What makes it especially concerning is the ability of the attackers to maintain a stealthy, months-long presence on victim networks after gaining initial access, according to researchers at Palo Alto Networks’ Unit 42.

Jingle Thief Actors Target Cloud Environments

“During this time, they gain deep familiarity with the environment, including how to access critical infrastructure — making detection and remediation especially challenging,” Unit 42 researchers warned in a recent blog post. Unlike campaigns that rely on malware and endpoint exploitation, Jingle Thief actors operate almost entirely within cloud environments, using stolen credentials to impersonate legitimate users, navigate gift card issuance systems, and generate high-value cards for resale on gray markets.

In one intrusion that Unit 42 observed, the attackers lurked undetected for 10 months inside a global company and compromised more than 60 employee accounts while using standard Microsoft 365 tools to masquerade as legitimate users conducting normal business. 

Related:The Best End User Security Awareness Programs Aren’t About Awareness Anymore

A typical Jingle Thief attack begins with a tailored phishing or smishing effort to harvest Microsoft 365 credentials at targeted organizations. The attackers then use the stolen credentials to access victim cloud environments and search SharePoint sites and OneDrive folders for internal documents detailing gift card workflows, ticketing systems, VPN configurations, and card issuance procedures.

Once the attackers have the information they are looking for, they have tended to use internal phishing campaigns — like emails purporting to be from trusted colleagues or masquerading as IT and ServiceNow notifications — to gather credentials to higher privileged accounts. For long-term persistence, the attackers have been exploiting legitimate self-service features in Microsoft’s Entra ID platform to register rogue authenticator apps and enroll attacker-controlled devices. “These tactics allowed them to maintain access even after passwords were reset or sessions were revoked,” Unit 42 noted.

Weakly Protected

One factor that has fueled the attacks — and contributed to their success — is that gift card systems are often inadequately protected and widely accessible internally. This makes them an attractive target for identity-based attacks where a threat actor with the right credentials can issue and steal gift cards with barely a trace, Unit 42 researchers said.

Related:Too Many Secrets: Attackers Pounce on Sensitive Data Sprawl

The Jingle Thief campaign is only one example of increasingly frequent attacks targeted at the retail sector this year. Scattered Spider, a loose affiliation of like-minded English-speaking hackers, has garnered considerable attention recently for high-profile attacks on UK-based companies Harrods, M&S, and Co-op, as well as several US retailers. Over the years, they have been several others including FIN8, a financially motivated outfit known for attacking retailers via POS malware and spear‑phishing and Magecart, a collective of operators specialized in skimming payment card information from e-commerce sites.

A survey by VikingCloud earlier this year found 80% of retailers had experienced a cyberattack over the prior 12 month period. More than 50% reported increased vulnerability to attacks, pointing to understaffed teams and inadequate cybersecurity training for staff as huge problems.

Retail Sector in the Crosshairs

“Retail has always been in the crosshairs because it sits at the intersection of three attacker incentives: high transaction volume, widespread digital sprawl, and attractive monetization paths,” says Ensar Seker, chief information security officer (CISO) at SocRadar. Campaigns like Jingle Thief highlight how attackers on the retail sector have evolved from mere data theft to real-time fraud, he says. 

Related:WhatsApp Secures Ban on NSO Group After 6-Year Legal Battle

“They aren’t just stealing static information; they’re executing full workflows from access to monetization within minutes, often blending phishing, smishing, and social engineering with automated tooling and AI-enabled scripting,” Seker says.

Retailers are a goldmine for cybercriminals because they sit at the intersection of money, personal data, and massive transaction volume, echoes Abu Qureshi, threat research and mitigation lead at BforeA. Attackers know there’s a direct path to cash through stolen gift cards, loyalty points, or payment data and the holiday rush only amplifies that opportunity. “We see that attackers treat retailers as low-hanging fruit: predictable seasonal peaks, fragmented IT systems, and a huge attack surface across stores, e-commerce, and third-party vendors.”

Technical complexity is the major reason why retailers generally have a harder time protecting against cyberattacks than organizations in other sectors, Qureshi says. “The biggest challenge is complexity because most retail environments are a patchwork of old suppliers, outsourced payment processors, cloud apps, and partner integrations,” he says. What exacerbates the situation is rapid seasonal hiring and uneven security across franchise locations, meaning even if a retailer’s corporate security practices are solid, there are too many weak links to protect against, he says.

For retailers, the most effective defense starts with controlling how employees access systems in the first place, says Darren Guccione, CEO and co-founder at Keeper Security. That means implementing strong passwords and storing them securely or using passkeys to offer a phishing-resistant, passwordless way to log into accounts. Multifactor authentication and privileged access management tools can add additional essential security layers, he says.

A Lack of Awareness

Awareness training for employees is another vital factor. “The same AI tools that help retailers personalize marketing and streamline logistics are being used by criminals to craft realistic phishing and smishing campaigns,” Guccione notes. “Regular cybersecurity awareness training gives employees the knowledge to spot red flags and understand how to verify messages before they act.”

One big challenge that retailers have to deal with, that many others don’t, is the need to manage seasonal and transient employees during periods like the upcoming holiday shopping season. “Some of these employees … may not be engaged in trying to be secure for the organization,” says Erich Kron, CISO advisor at KnowBe4. “This is one reason it is so important for messaging to explain that there is a personal benefit to employees as well, as they become harder to scam at home.”