SilkSpecter, a Chinese financially motivated threat actor, launched a sophisticated phishing campaign targeting e-commerce shoppers in Europe and the USA during the Black Friday shopping season.
The campaign leveraged the legitimate payment processor Stripe to steal victims’ Cardholder Data (CHD) and Sensitive Authentication Data (SAD) while allowing legitimate transactions to proceed.
The threat actor used a Chinese SaaS platform, oemapps, to rapidly create convincing fake e-commerce sites with dynamic language adjustment based on victim IP location.
.png
)
The phishing sites, often typosquatting legitimate domains, used .top, .shop, .store, and .vip TLDs to deceive victims into providing sensitive information.
Free Ultimate Continuous Security Monitoring Guide - Download Here (PDF)
Analysts identify a pattern among Black Friday-themed phishing domains linked to the SilkSpecter threat actor, which were characterized by the presence of a deceptive “trusttollsvg” icon and a “/homeapi/collect” endpoint.
The icon was used to mimic trusted websites, while the endpoint allowed real-time tracking of victim interactions.
By recognizing these unique indicators, analysts were able to uncover additional discount-themed phishing domains associated with SilkSpecter’s ongoing campaign.
SilkSpecter’s phishing kit employed a multi-layered approach to deceive victims, as the Black Friday-themed phishing pages, coupled with dynamic language translation and website trackers, created a convincing illusion of legitimacy.
Victim data, including PII, banking details, and phone numbers, was exfiltrated to attacker-controlled servers.
Stripe was abused to process real transactions, and the stolen information could be further exploited in secondary attacks like vishing or smishing.
It employed a sophisticated phishing scheme to target online shoppers and by mimicking legitimate platforms, they lured victims into providing sensitive financial information.
The stolen data, including card details, was exfiltrated to a remote server via Stripe’s APIs, bypassing security measures, where the attackers likely employed social media and SEO poisoning to disseminate the malicious phishing links, capitalizing on Black Friday promotions to increase their success rate.
According to the EclecticIQ Threat Research Team, SilkSpecter, a likely Chinese threat actor, employs Mandarin-laden JavaScript comments and HTML language tags in their phishing pages, hinting at Chinese-speaking developers.
Their infrastructure leans heavily on Chinese CDNs and SaaS platforms like oemapps, where analysts have linked SilkSpecter to over 89 IP addresses and 4,000 domains, many of which are tied to Chinese ASNs and companies, further solidifying the attribution.
It is a sophisticated phishing group that leverages Chinese domain registrars like West263, Hong Kong Kouming International, Cloud Yuqu, and Alibaba Cloud to mask its operations by utilizing Cloudflare’s infrastructure for further obfuscation.
To mitigate risks, organizations should monitor URLs containing “discount,” “Black Friday,” or “/homeapi/collect” and flag domains with “trusttollsvg.”
Tracking network traffic from ASNs 24429, 140227, 3824, 139021, and 45102 can help identify suspicious connections, while to protect individual users, employing virtual cards and setting spending limits on credit cards are recommended practices.
Analyze Unlimited Phishing & Malware with ANY.RUN For Free - 14 Days Free Trial.
