Moroccan cybercriminals exploit global retail firms in gift card scheme

Tuesday 28 October 2025 - 12:20

By: Dakir Madiha

Moroccan cybercriminals exploit global retail firms in gift card scheme

A sophisticated cybercrime campaign originating in Morocco has been targeting global retail and consumer services companies, stealing and monetizing gift cards on a large scale. Dubbed “Jingle Thief,” this operation has been active since 2021, leveraging cloud-based infrastructure to execute fraud, particularly during major holiday seasons when gift card activity peaks.

Extensive infiltration and prolonged access

According to Unit 42, the cybersecurity division of Palo Alto Networks, the attackers infiltrate organizations through phishing and SMS-based “smishing” campaigns. They exploit Microsoft 365 services such as SharePoint, OneDrive, Exchange, and Entra ID to gain access to sensitive systems. Once inside, they maintain access for extended periods, sometimes over a year, allowing them to compromise multiple user accounts and execute large-scale fraud.

In one incident, attackers retained access for ten months, compromising over 60 user accounts within a single global enterprise. Their activities spike during holiday periods, coinciding with reduced staffing and increased gift card purchases, making detection more challenging.

Sophisticated phishing tactics

The attackers craft highly convincing phishing content tailored to their targets. By mimicking organizational branding, portals, and email templates, they create authentic-looking login pages designed to steal credentials. Some phishing lures impersonate nonprofits or NGOs to increase credibility.

Phishing URLs often appear legitimate but redirect victims to malicious sites. For example, attackers use deceptive URL formatting, such as embedding malicious domains within trusted-looking structures, to obscure their true origin.

To evade detection, the attackers employ compromised WordPress servers to deliver phishing emails using self-hosted PHP mailer scripts. They also use advanced techniques to avoid forensic traces, such as minimizing logs and using VPNs with abnormal configurations.

Why gift cards are the prime target

Gift cards are particularly attractive to cybercriminals due to their ease of redemption, anonymity, and minimal personal information requirements. Once stolen, the cards are resold on gray-market platforms at discounted rates, providing quick cash flow. Retail environments are especially vulnerable, as gift card systems are often accessible to a wide range of internal users and support multiple vendors, creating broader attack surfaces.

Evidence links attackers to Morocco

The investigation identified multiple IP addresses geolocated to Morocco, including 105.156.109[.]227 and 196.89.141[.]80. The attackers also used Moroccan ASN organizations such as MT-MPLS and MAROCCONNECT. Some US-based infrastructure was also employed, potentially as proxies or compromised hosts.

The activity cluster, tracked as CL-CRI-1032, overlaps with threat actors known as Atlas Lion and STORM-0539. Jingle Thief’s reuse of distinctive domain structures across campaigns further supports its attribution to Moroccan-based groups.

Strengthening defenses against identity-based attacks

Unit 42 emphasized the importance of prioritizing identity-based monitoring as part of modern cybersecurity strategies. Behavioral anomalies, such as suspicious login patterns and identity misuse, were key indicators of the Jingle Thief campaign. Advanced tools like Cortex User Entity Behavior Analytics (UEBA) and Identity Threat Detection and Response (ITDR) have helped detect such anomalies.

As identity becomes the new perimeter in cybersecurity, organizations are urged to enhance their monitoring of user behavior and identity misuse to detect and respond to threats early. Retailers, in particular, must strengthen oversight of gift card systems to mitigate vulnerabilities exploited by campaigns like Jingle Thief.