Wednesday, December 11, 2024
HomeCyber Security NewsChinese SilkSpecter Hackers Attacking Black Friday Shoppers

Chinese SilkSpecter Hackers Attacking Black Friday Shoppers

Published on

SIEM as a Service

SilkSpecter, a Chinese financially motivated threat actor, launched a sophisticated phishing campaign targeting e-commerce shoppers in Europe and the USA during the Black Friday shopping season. 

The campaign leveraged the legitimate payment processor Stripe to steal victims’ Cardholder Data (CHD) and Sensitive Authentication Data (SAD) while allowing legitimate transactions to proceed. 

The threat actor used a Chinese SaaS platform, oemapps, to rapidly create convincing fake e-commerce sites with dynamic language adjustment based on victim IP location.

- Advertisement - SIEM as a Service

The phishing sites, often typosquatting legitimate domains, used .top, .shop, .store, and .vip TLDs to deceive victims into providing sensitive information. 

Free Ultimate Continuous Security Monitoring Guide - Download Here (PDF)

Analysts identify a pattern among Black Friday-themed phishing domains linked to the SilkSpecter threat actor, which were characterized by the presence of a deceptive “trusttollsvg” icon and a “/homeapi/collect” endpoint. 

Uncovering the pattern among Black Friday-themed phishing pages.

The icon was used to mimic trusted websites, while the endpoint allowed real-time tracking of victim interactions.

By recognizing these unique indicators, analysts were able to uncover additional discount-themed phishing domains associated with SilkSpecter’s ongoing campaign.

SilkSpecter’s phishing kit employed a multi-layered approach to deceive victims, as the Black Friday-themed phishing pages, coupled with dynamic language translation and website trackers, created a convincing illusion of legitimacy. 

Victim data, including PII, banking details, and phone numbers, was exfiltrated to attacker-controlled servers.

Stripe was abused to process real transactions, and the stolen information could be further exploited in secondary attacks like vishing or smishing. 

 Payment prompt screen on phishing page that uses Stripe

It employed a sophisticated phishing scheme to target online shoppers and by mimicking legitimate platforms, they lured victims into providing sensitive financial information. 

The stolen data, including card details, was exfiltrated to a remote server via Stripe’s APIs, bypassing security measures, where the attackers likely employed social media and SEO poisoning to disseminate the malicious phishing links, capitalizing on Black Friday promotions to increase their success rate.

According to the EclecticIQ Threat Research Team, SilkSpecter, a likely Chinese threat actor, employs Mandarin-laden JavaScript comments and HTML language tags in their phishing pages, hinting at Chinese-speaking developers. 

Use of OEMAPPS library in phishing page. 

Their infrastructure leans heavily on Chinese CDNs and SaaS platforms like oemapps, where analysts have linked SilkSpecter to over 89 IP addresses and 4,000 domains, many of which are tied to Chinese ASNs and companies, further solidifying the attribution.

It is a sophisticated phishing group that leverages Chinese domain registrars like West263, Hong Kong Kouming International, Cloud Yuqu, and Alibaba Cloud to mask its operations by utilizing Cloudflare’s infrastructure for further obfuscation. 

To mitigate risks, organizations should monitor URLs containing “discount,” “Black Friday,” or “/homeapi/collect” and flag domains with “trusttollsvg.” 

Tracking network traffic from ASNs 24429, 140227, 3824, 139021, and 45102 can help identify suspicious connections, while to protect individual users, employing virtual cards and setting spending limits on credit cards are recommended practices.

Analyze Unlimited Phishing & Malware with ANY.RUN For Free - 14 Days Free Trial.

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

Resecurity introduces Government Security Operations Center (GSOC) at NATO Edge 2024

Resecurity, a global leader in cybersecurity solutions, unveiled its advanced Government Security Operations Center...

Reserachers Uncovered Zloader DNS Tunneling Tactics For Stealthy C2 Communication

Zloader, a sophisticated Trojan, has recently evolved with features that enhance its stealth and...

US Charged Chinese Hackers for Exploiting Thousands of Firewall

The US Treasury Department's Office of Foreign Assets Control (OFAC) has sanctioned Sichuan Silence...

DMD Diamond Launches Open Beta for v4 Blockchain Ahead of 2025 Mainnet

DMD Diamond - one of the oldest blockchain projects in the space has announced the...

API Security Webinar

72 Hours to Audit-Ready API Security

APIs present a unique challenge in this landscape, as risk assessment and mitigation are often hindered by incomplete API inventories and insufficient documentation.

Join Vivek Gopalan, VP of Products at Indusface, in this insightful webinar as he unveils a practical framework for discovering, assessing, and addressing open API vulnerabilities within just 72 hours.

Discussion points

API Discovery: Techniques to identify and map your public APIs comprehensively.
Vulnerability Scanning: Best practices for API vulnerability analysis and penetration testing.
Clean Reporting: Steps to generate a clean, audit-ready vulnerability report within 72 hours.

More like this

Reserachers Uncovered Zloader DNS Tunneling Tactics For Stealthy C2 Communication

Zloader, a sophisticated Trojan, has recently evolved with features that enhance its stealth and...

US Charged Chinese Hackers for Exploiting Thousands of Firewall

The US Treasury Department's Office of Foreign Assets Control (OFAC) has sanctioned Sichuan Silence...

DMD Diamond Launches Open Beta for v4 Blockchain Ahead of 2025 Mainnet

DMD Diamond - one of the oldest blockchain projects in the space has announced the...