Analysis Summary

Thousands of phony internet storefronts are being used by a financially motivated Chinese threat actor known as "SilkSpecter" to steal the credit card information of American and European online buyers.

Offering significant discounts for the impending Black Friday shopping period, which often sees increased purchasing activity, the scam campaign began in October 2024. The campaign was uncovered by researchers who said that SilkSpecter was running 4,695 bogus domains at the time of their report's release.

Popular companies like The North Face, Lidl, Bath & Body Works, L.L. Bean, Wayfair, Makita, IKEA, and Gardena are impersonated on these websites. The 'Black Friday' string is frequently included in the campaign's domain names, which target internet shoppers searching for sales.

To seem genuine at first glance, SilkSpecter websites are well-designed and usually have the name of the faked company. Their websites, however, typically employ top-level domains like ".shop," ".store," ".vip," and ".top," which are not typically linked to well-known businesses or reliable e-commerce websites. The service uses Google Translate to automatically change the language on the scam sites based on the victim's location. The integration of Stripe, a reputable and authentic payment processor, within the phishing sites, enhances their validity while enabling them to collect credit card information.

On the websites, SilkSpecter additionally makes use of tracking tools like OpenReplay, TikTok Pixel, and Meta Pixel. These tools enable them to keep an eye on visitor behavior and maybe modify their strategy to improve the operation's efficacy. Users are taken to a payment page where they are asked to input their credit/debit card number, expiration date, and CVV code when they try to make a purchase from such websites. The last stage also asks for a phone number.

The phishing kit not only misuses the Stripe service to steal the order's money, but it also transfers the card information entered to a server under the control of the attacker. When exploiting credit card data, researchers think the phone number is stolen and utilized subsequently in voice or SMS phishing attacks that need to handle two-factor authentication (2FA) prompts. Based on the use of Chinese IP addresses and ASNs, Chinese domain registrars, linguistic evidence in the code of the websites, and past usage of the Chinese Software as a Service (SaaS) platform known as "oemapps" (before Stripe), SilkSpecter is thought to be Chinese.

It is advised that Black Friday buyers stay away from clicking on advertisements, links from social media posts, or sponsored Google search results and instead only visit the official brand websites. Lastly, cardholders should periodically check their statements and enable multi-factor authentication and other security features on their financial accounts.

Impact

• Sensitive Data Theft
• Identity Theft
• Financial Loss

Indicators of Compromise

Domain Name

• northfaceblackfriday.shop
• lidl-blackfriday-eu.shop
• bbw-blackfriday.shop
• llbeanblackfridays.shop
• dopeblackfriday.shop
• wayfareblackfriday.com
• makitablackfriday.shop
• blackfriday-shoe.top
• eu-blochdance.shop
• ikea-euonline.com
• gardena-eu.com

Remediation

• Block all threat indicators at your respective controls.
• Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Emails or SMSs from unknown senders should always be treated with caution.
• Never trust or open links and attachments received from unknown sources/senders.
• Implement email filtering and anti-phishing solutions to detect and block malicious emails before they reach users' inboxes.
• Educate employees about the risks of phishing attacks and provide training on how to recognize and report suspicious emails.
• Regularly backup your data to a secure location, such as a cloud storage service or external hard drive.
• Deploy endpoint security solutions, including antivirus software and intrusion detection systems, to detect and mitigate malicious payloads delivered through phishing emails.
• Regularly update and patch software and operating systems to address vulnerabilities that could be exploited by cyber attackers.
• Utilize network monitoring and logging tools to detect and respond to unusual or suspicious network activity indicative of a phishing attack.
• Enforce strict access controls and least privilege principles to limit the impact of successful phishing attacks by restricting user permissions and access to sensitive data and systems.
• Implement multi-factor authentication (MFA) to add an extra layer of security to user accounts and prevent unauthorized access in the event of compromised credentials.
• Establish incident response procedures and protocols to quickly identify, contain, and remediate phishing attacks, including communication plans for notifying affected parties and stakeholders.
• Collaborate with industry partners, government agencies, and cybersecurity organizations to share threat intelligence and best practices for defending against phishing attacks.