A financially motivated Chinese threat actor dubbed “SilkSpecter” is using thousands of fake online stores to steal the payment card details of online shoppers in the U.S. and Europe.
The fraud campaign started in October 2024, offering steep discounts for the upcoming Black Friday shopping period that usually sees elevated shopping activity.
EclecticIQ threat researcher Arda Buyukkaya, who discovered the campaign, told BleepingComputer that, as of the publishing of their report, SilkSpecter operates 4,695 fraudulent domains.
These sites impersonate well-known brands such as the North Face, Lidl, Bath & Body Works, L.L. Bean, Wayfair, Makita, IKEA, and Gardena.
In many cases, the domain names used in the campaign include the ‘Black Friday’ string, clearly targeting online shoppers looking for discount deals.
SilkSpecter websites are well-designed and typically named after the impersonated brand to appear authentic at a quick glance. However, their sites usually use top-level domains like ‘.shop,’ ‘.store,’ ‘.vip,’ and ‘.top,’ which are not generally associated with large brands or trustworthy e-commerce sites.
Depending on the victim’s location, the website uses Google Translate to automatically adjust the language on the fraud sites accordingly.
The phishing sites integrate Stripe, a legitimate and trusted payment processor, which adds to the site’s legitimacy while still allowing them to steal credit card information.
SilkSpecter also uses tracking tools like OpenReplay, TikTok Pixel, and Meta Pixel on the sites. These tools help them monitor visitor behavior and possibly adjust their tactics to increase the operation’s effectiveness.
When users attempt to purchase from those sites, they are redirected to a payment page that prompts them to enter their credit/debit card number, expiration date, and CVV code. A phone number is also requested at the final step.
Apart from stealing the money for the order by abusing the Stripe service, the phishing kit also sends the entered card details to an attacker-controlled server.
EclecticIQ believes the phone number is stolen to be used later in voice or SMS phishing attacks required for handling two-factor authentication (2FA) prompts when exploiting the payment card data.
SilkSpecter is believed to be Chinese, based on their use of Chinese IP addresses and ASNs, Chinese domain registrars, linguistic evidence in the sites’ code, and previous use of the Chinese Software as a Service (SaaS) platform named “oemapps” (prior to Stripe).
BlackFriday shoppers are recommended only to visit official brand websites and avoid clicking on ads, links from social media posts, or promoted results on Google Search.
Finally, cardholders should activate all available protection measures on their financial accounts, including multi-factor authentication, and monitor their statements regularly.
Unlock the Editor’s Digest for freeRoula Khalaf, Editor of the FT, selects her favourite stories in this weekly newsletter.Vacancies at open-air shopping cent
ThredUp’s chief product and technology officer, Dan DeMeyere, admits that shoppers can be overwhelmed when searching on the resale platform, which has more th
Dotdash Meredith and Yahoo Inc. may earn commission or revenue on some items through the links below.If you didn’t get everything you were hoping for during t
Cozy backyard bonfires — they're not just for fancy people in Aspen anymore, thanks to this portable fire pit. At just 7 inches across, 8.6 inches high and 2.