‘SilkSpecter’ Campaign Uses 4,000 Fake Domains Against Black Friday Shoppers

A newly discovered phishing campaign linked to the Black Friday shopping season launched by a financially motivated threat actor, dubbed “SilkSpecter,” is targeting e-commerce shoppers in the U.S. and Europe.

EclecticIQ’s research indicates that this campaign, active since early October 2024, employs fake discount-themed phishing sites to steal sensitive information from online shoppers eager for seasonal deals.

A pro-grade operation

SilkSpecter’s phishing strategy hinges on creating fraudulent e-commerce pages designed to resemble legitimate online stores, leveraging Black Friday discount themes and terms to increase their appeal.

These sites use fake product promotions offering up to 80% off to lure users, and victims are encouraged to enter cardholder data (CHD) and sensitive authentication data (SAD) through a payment processor that appears to use legitimate services, such as Stripe, further increasing the phishing sites' perceived authenticity. Once users enter their information, it is covertly transmitted to a server controlled by the attackers, enabling the theft of card details and personally identifiable information (PII).

SilkSpecter employs a suite of techniques to enhance the believability of its phishing sites. By using Google Translate API, it dynamically adjusts page language based on the victim’s IP location, making the sites appear credible to international users. It also integrates social media trackers such as OpenReplay, TikTok Pixel, and Meta Pixel, to monitor user interactions, allowing SilkSpecter to assess the effectiveness of each phishing attempt in real-time.

Each site also includes specific code artifacts, like “trusttollsvg” icons, which create an impression of trustworthiness, and a “/homeapi/collect” endpoint that signals attackers each time a victim engages with the page.

Carrying Chinese hallmarks

The SilkSpecter group’s infrastructure and tactics strongly suggest a Chinese origin. The phishing domains are primarily registered through Chinese companies like West263 International Limited and Alibaba Cloud.

EclecticIQ analysts discovered that the campaign uses the Chinese SaaS platform “oemapps” to expedite the creation of fake e-commerce websites, and the JavaScript embedded in the phishing sites often includes comments in Mandarin. Furthermore, SilkSpecter relies on content delivery networks (CDNs) hosted in China, allowing it to serve images and data to its fake sites while obscuring its true server locations.

EclecticIQ reports that this campaign relies heavily on typosquatting, using domains that closely resemble legitimate e-commerce sites with top-level domains like .top, .shop, and .store. EclecticIQ’s intelligence tools identified over 4,000 such domains linked to SilkSpecter’s campaigns, targeting popular online shopping terms associated with Black Friday.

To mitigate risks, online shoppers are advised to follow these guidelines:

• Verify that site URLs match known legitimate domains, especially during high-risk seasons like Black Friday.
• Use virtual cards with spending limits that reduce the risk of exposing primary card details during online purchases.
• Enable transaction alerts for each online transaction, and consider enabling spending restrictions or verification requirements for online transactions.
• Avoid entering unnecessary personal details on sites, and be wary of sites requesting phone numbers that could lead to vishing or smishing attacks.