Phishing Campaign Targets E-Commerce Shoppers During Black Friday
/ 3 min read
Quick take - In October 2024, analysts from EclecticIQ reported a phishing campaign orchestrated by the financially motivated threat actor SilkSpecter, targeting e-commerce shoppers in Europe and the USA during the Black Friday shopping season, using fake discount offers to obtain sensitive personal and financial information.
Fast Facts
- In October 2024, EclecticIQ analysts uncovered a phishing campaign by the threat actor SilkSpecter, targeting e-commerce shoppers in Europe and the USA during the Black Friday shopping season.
- SilkSpecter used fake offers of discounted products to lure victims into providing sensitive information, including Cardholder Data (CHD) and Personally Identifiable Information (PII), while exploiting the payment processor Stripe for real transactions.
- The phishing sites enhanced credibility by utilizing Google Translate to tailor language based on victims’ IP addresses and employed typosquatting techniques to mimic legitimate e-commerce domains.
- Analysts linked SilkSpecter to a Chinese threat actor through language and infrastructure analysis, noting the use of Chinese-hosted servers and a significant number of associated IP addresses and domain names.
- Recommendations for consumers include using virtual cards for online purchases, monitoring network traffic for suspicious activity, and tracking specific URL patterns related to Black Friday-themed phishing campaigns.
Phishing Campaign Targeting E-Commerce Shoppers
In October 2024, analysts from EclecticIQ identified a significant phishing campaign targeting e-commerce shoppers in Europe and the USA. The campaign was strategically timed for the Black Friday shopping season and is believed to be orchestrated by a financially motivated threat actor known as SilkSpecter.
Phishing Tactics and Techniques
SilkSpecter employed fake offers of discounted products as phishing lures, aiming to obtain sensitive information, including Cardholder Data (CHD), Sensitive Authentication Data (SAD), and Personally Identifiable Information (PII) from victims. The campaign capitalized on the surge in online shopping activity during November, coinciding with the Black Friday sales.
SilkSpecter specifically targeted victims’ CHD by exploiting the legitimate payment processor Stripe, enabling real transactions while simultaneously exfiltrating sensitive data. The phishing sites enhanced their credibility by utilizing Google Translate, tailoring the language based on the victim’s IP address to create a more convincing façade.
Prior to November 2024, SilkSpecter had conducted similar phishing operations linked to a Chinese Software as a Service (SaaS) platform named oemapps. The phishing domains predominantly featured top-level domains (TLDs) like .top, .shop, .store, and .vip, often employing typosquatting techniques to mimic legitimate e-commerce organizations’ domain names.
Patterns and Indicators
Analysts noted a distinct pattern among Black Friday-themed phishing domains associated with SilkSpecter, including the use of a deceptive icon labeled “trusttollsvg” and a tracking endpoint “/homeapi/collect.” The phishing pages promoted enticing discounts, such as “80% off,” luring victims into providing their personal and financial information.
The phishing kit utilized various website trackers, including OpenReplay, TikTok Pixel, and Meta Pixel, to monitor visitor activity and compile detailed logs. It captured crucial browser metadata, including IP addresses, geolocation, browser type, and operating system details. Victims were prompted to enter their PII and banking details through Stripe, which were misappropriated to process payments while simultaneously transmitting sensitive information to an attacker-controlled server.
Additionally, victims were often asked for their phone numbers, potentially opening avenues for further attacks like vishing or smishing. Analysts believe that SilkSpecter was capable of impersonating trusted entities, allowing them to gain unauthorized access to victims’ accounts and initiate fraudulent transactions.
Recommendations for Consumers
In light of these developments, analysts have provided recommendations for monitoring Black Friday-themed phishing campaigns, including tracking specific URL patterns and indicators of compromise (IOCs). Suggested precautions for consumers include:
- Using virtual cards for online purchases.
- Setting spending limits.
- Actively monitoring network traffic for suspicious patterns associated with Autonomous System Numbers (ASNs).
Additionally, a hunting query for identifying SilkSpecter phishing domains has been proposed, focusing on specific file hashes and Black Friday-themed phishing domains.
Original Source: Read the Full Article Here
