A sophisticated phishing campaign by Chinese threat actor ‘SilkSpecter’ targets Black Friday shoppers in Europe and the United States using over 4,000 domain names and 89 IP addresses. The cyber gang uses lure deals to entice users into sharing sensitive information, including Cardholder Data (CHD), Sensitive Authentication Data (SAD), and Personally Identifiable Information (PII).
By leveraging Stripe, a trusted payment processor, SilkSpecter ensured transactions appeared legitimate to unsuspecting victims. However, sensitive payment details were covertly exfiltrated to attacker-controlled servers in the background.
Researchers found that SilkSpectre’s phishing sites demonstrated a high level of sophistication. Using Google Translate, these fake e-commerce pages dynamically adjusted to the victim’s language based on their IP address, making the site appear more credible to an international audience. Deceptive icons such as ‘trusttollsvg’ further enhanced their legitimacy.
To monitor user activity, the phishing kit also embedded website trackers, including OpenReplay, TikTok, Pixel, and Meta Pixel. Additionally, the attackers collected metadata like geolocation, browser details, and operating systems, ensuring their campaign was both dynamic and adaptable.
Researchers have connected SilkSpectre’s operations to a Chinese Software-as-a-Service (SaaS) platform named ‘oemapps,’ which likely failed the rapid creation of convincing phishing sites. Most of these domains used .top, .shop, .store, or .vip top-level domains (TLDs) and employed typosquatting techniques to mimic legitimate e-commerce websites.
A few other shreds of evidence that cyber security experts presented to confirm that SilkSpectre is a China-based gang are language evidence, where they found Mandarin comments in the phishing sites’ code and Chinese domain registers such as West263 International Limited and Alibaba Cloud.
Victims lured by fake discounts were prompted to enter personal and payment information through a Stripe interface. Unbeknownst to them, their data was being shipped to a server hosted at longnr[.]com. The campaign also requested phone numbers, which analysts believe could be exploited in secondary attacks involving voice or SMS phishing.
Researchers have urged users to monitor for suspicious domains, scrutinise network traffic, and enhance payment security by using virtual payment cards when shopping online.
In the News: NASA and Microsoft launch Earth Copilot focussing on geospatial data
