Cyber Security News

Chinese SilkSpecter Hackers Attacking Black Friday Shoppers

SilkSpecter, a Chinese financially motivated threat actor, launched a sophisticated phishing campaign targeting e-commerce shoppers in Europe and the USA during the Black Friday shopping season. 

The campaign leveraged the legitimate payment processor Stripe to steal victims’ Cardholder Data (CHD) and Sensitive Authentication Data (SAD) while allowing legitimate transactions to proceed. 

The threat actor used a Chinese SaaS platform, oemapps, to rapidly create convincing fake e-commerce sites with dynamic language adjustment based on victim IP location.

The phishing sites, often typosquatting legitimate domains, used .top, .shop, .store, and .vip TLDs to deceive victims into providing sensitive information. 

Free Ultimate Continuous Security Monitoring Guide - Download Here (PDF)

Analysts identify a pattern among Black Friday-themed phishing domains linked to the SilkSpecter threat actor, which were characterized by the presence of a deceptive “trusttollsvg” icon and a “/homeapi/collect” endpoint. 

Uncovering the pattern among Black Friday-themed phishing pages.

The icon was used to mimic trusted websites, while the endpoint allowed real-time tracking of victim interactions.

By recognizing these unique indicators, analysts were able to uncover additional discount-themed phishing domains associated with SilkSpecter’s ongoing campaign.

SilkSpecter’s phishing kit employed a multi-layered approach to deceive victims, as the Black Friday-themed phishing pages, coupled with dynamic language translation and website trackers, created a convincing illusion of legitimacy. 

Victim data, including PII, banking details, and phone numbers, was exfiltrated to attacker-controlled servers.

Stripe was abused to process real transactions, and the stolen information could be further exploited in secondary attacks like vishing or smishing. 

Payment prompt screen on phishing page that uses Stripe

It employed a sophisticated phishing scheme to target online shoppers and by mimicking legitimate platforms, they lured victims into providing sensitive financial information. 

The stolen data, including card details, was exfiltrated to a remote server via Stripe’s APIs, bypassing security measures, where the attackers likely employed social media and SEO poisoning to disseminate the malicious phishing links, capitalizing on Black Friday promotions to increase their success rate.

According to the EclecticIQ Threat Research Team, SilkSpecter, a likely Chinese threat actor, employs Mandarin-laden JavaScript comments and HTML language tags in their phishing pages, hinting at Chinese-speaking developers. 

Use of OEMAPPS library in phishing page.

Their infrastructure leans heavily on Chinese CDNs and SaaS platforms like oemapps, where analysts have linked SilkSpecter to over 89 IP addresses and 4,000 domains, many of which are tied to Chinese ASNs and companies, further solidifying the attribution.

It is a sophisticated phishing group that leverages Chinese domain registrars like West263, Hong Kong Kouming International, Cloud Yuqu, and Alibaba Cloud to mask its operations by utilizing Cloudflare’s infrastructure for further obfuscation. 

To mitigate risks, organizations should monitor URLs containing “discount,” “Black Friday,” or “/homeapi/collect” and flag domains with “trusttollsvg.” 

Tracking network traffic from ASNs 24429, 140227, 3824, 139021, and 45102 can help identify suspicious connections, while to protect individual users, employing virtual cards and setting spending limits on credit cards are recommended practices.

Analyze Unlimited Phishing & Malware with ANY.RUN For Free - 14 Days Free Trial.

Balaji

BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Recent Posts

The Rise of AI-Generated Professional Headshots

It’s clear that a person’s reputation is increasingly influenced by their online presence, which spans…

10 hours ago

Hackers Abuse Google Ads To Attacking Graphic Design Professionals

Researchers identified a threat actor leveraging Google Search ads to target graphic design professionals, as…

13 hours ago

Hackers Using New IoT/OT Malware IOCONTROL To Control IP Cameras, Routers, PLCs, HMIs And Firewalls

Recent cyberattacks targeting critical infrastructure, including fuel management systems and water treatment facilities in Israel…

13 hours ago

Hackers Exploiting Apache Struts2 Vulnerability to Upload Malicious Payloads

Hackers have begun exploiting a newly discovered vulnerability in Apache Struts2, a widely used open-source…

13 hours ago

Hackers Weaponizing Microsoft Teams to Gain Remote Access

Recent cybersecurity research has uncovered a concerning trend where hackers are exploiting Microsoft Teams to…

14 hours ago

“Password Era is Ending,” Microsoft to Delete 1 Billion Passwords

Microsoft has announced that it is currently blocking an astounding 7,000 password attacks every second,…

2 days ago