In October 2024, cybersecurity analysts at EclecticIQ uncovered a phishing campaign targeting online shoppers in the U.S. and Europe. The campaign, tied to a Chinese group called SilkSpecter, exploits the busy Black Friday shopping period to steal payment information and personal data. Attackers lure victims by promoting fake product discounts on fraudulent websites, tricking them into sharing sensitive card details and personal information.


How SilkSpecter Operates

Phishing Techniques

SilkSpecter uses convincing fake e-commerce sites that mimic legitimate stores. These sites often:

  • Promote massive discounts (e.g., “80% off”) to attract shoppers.
  • Leverage Stripe, a trusted payment processor, for transactions. While purchases appear legitimate, sensitive cardholder details are stolen and sent to a server controlled by the attackers.
  • Dynamically adjust language based on the victim’s location using Google Translate, making the sites appear more authentic.

Domain and Platform Abuse

The group relies on a Chinese platform, oemapps, to quickly create fake e-commerce sites. These sites often use domain names ending in .top, .shop, .store, and .vip, designed to look similar to legitimate businesses.

Tracking Victims

Phishing kits include tools like OpenReplay, TikTok Pixel, and Meta Pixel to track visitor behavior. Browser data, such as IP addresses and geolocation, is collected to enhance the scam’s effectiveness.


How the Attack Unfolds

  1. Victim Interaction
    Shoppers are directed to a phishing site through deceptive ads or SEO-optimized search results.

  2. Information Capture
    Victims enter payment details, which are processed through Stripe. The details are simultaneously stolen and sent to a remote server.

  3. Follow-Up Attacks
    Victims are often asked to provide phone numbers. Analysts believe these could be used in follow-up scams, such as:

    • Vishing (voice phishing): Impersonating trusted entities to extract more information.
    • Smishing (SMS phishing): Sending fraudulent messages to steal login credentials or two-factor authentication codes.

Identifying SilkSpecter

Language Clues

The phishing sites’ code contains Mandarin comments and tags, linking the developers to China.

Infrastructure

  • The group uses Chinese-hosted servers and registrars, such as West263 International Limited and Cloud Yuqu LLC, to operate phishing domains.
  • Over 4,000 domains and 89 IP addresses tied to their campaigns have been identified.

What You Can Do

Protect Yourself While Shopping Online

  • Use Virtual Cards: Many banks offer temporary card numbers for safer transactions.
  • Set Spending Limits: Restrict your card’s online spending or require additional verification for purchases.
  • Be Wary of Too-Good-to-Be-True Deals: Avoid sites offering unrealistically steep discounts.

Monitor for Suspicious Activity

  • Look for Patterns: Be cautious of URLs with keywords like “Black Friday” and file paths like /homeapi/collect.
  • Watch for Unusual Traffic: Use tools to track connections to suspicious ASNs tied to SilkSpecter’s infrastructure.

Conclusion

SilkSpecter’s phishing schemes highlight how attackers exploit trust and busy shopping seasons to target unsuspecting victims. By staying vigilant, using secure payment methods, and monitoring online activity, you can reduce the risk of falling for these scams.

Indicators of Compromise

Some known phishing domains linked to SilkSpecter:

  • northfaceblackfriday[.]shop
  • ikea-euonline[.]com
  • blackfriday-shoe[.]top

 

Cookie Consent with Real Cookie Banner