A new phishing campaign is targeting e-commerce shoppers in Europe and the United States with fake pages impersonating legitimate brands to steal their personal information ahead of the Black Friday shopping season.
“The company took advantage of increased online shopping activity in November, during the peak Black Friday discount season. The threat actor used counterfeit discounted products as phishing lures to trick victims into providing Cardholder Data (CHD) and Sensitive Authentication Data (SAD) and Personally Identifiable Information (PII),” EclecticIQ said.
The activity, first seen in early October 2024, is attributed with high confidence to a Chinese financially motivated threat actor codenamed SilkSpecter. Some of the brands imitated include IKEA, LLBean, North Face and Wayfare.
Phishing domains have been found to use top-level domains (TLDs) such as .top, .shop, .store and .vip, often printing legitimate domain names of e-commerce organizations to lure victims (eg northfaceblackfriday (.)store). These websites advertise non-existent discounts while at the same time quietly collecting information about visitors.
The flexibility and credibility of the phishing kit is increased with the help of the Google Translate component, which dynamically changes the language of the site based on the geolocation markers of the victims. It also deploys trackers such as OpenReplay, TikTok Pixel and Meta Pixel to monitor the effectiveness of attacks.
The company’s ultimate goal is to capture any sensitive financial information entered by users as part of fraudulent orders, with attackers abusing Stripe to process transactions to give them the illusion of legitimacy, while in reality the credit card details appear on servers under their guise. control.
Moreover, victims are prompted to provide their phone numbers, likely prompted by the threat actor’s plans to launch subsequent smishing and phishing attacks to obtain additional details, such as two-factor authentication (2FA) codes.
“By impersonating trusted entities such as financial institutions or well-known e-commerce platforms, SilkSpecter is highly likely to bypass security barriers, gain unauthorized access to victim accounts, and initiate fraudulent transactions,” EclecticIQ said.
At this time, it is unclear how these URLs are being distributed, but it is suspected that they are related to social media accounts and search engine optimization (SEO) poisoning.
These findings come weeks after the HUMAN Satori Threat Intelligence and Research team detailed another large-scale and ongoing fraud operation called Phish ‘n’ Ships, which revolves around fake online stores that also abuse digital payment providers such as like Mastercard and Visa, to extract money and credit card information from consumers. .
The fraudulent scheme is said to have been active since 2019, infecting more than 1,000 legitimate websites to create fake product listings and use SEO tactics to artificially boost a website’s ranking in search engine results. Since then, payment processors have blocked the accounts of the threat actors, limiting their ability to cash out.
“The checkout process then goes through another online store that integrates with one of four payment processors to complete checkout,” the company said in a statement. said. “And even though the consumer’s money will go to the threat actor, the product will never arrive.”
The use of SEO poisoning to redirect users to fake e-commerce pages is a widespread phenomenon. According to Trend Micro, such attacks include installing SEO malware on compromised sites, which are then responsible for the pages appearing at the top of search engine results.
“These SEO malware are installed on compromised websites to intercept web server requests and return malicious content,” the company said in a statement. noted. “This way, threat actors can submit the created sitemap to search engines and index the created decoy pages.”
“This pollutes search results, causing hacked website URLs to appear in searches for product names they don’t actually handle. Thus, search engine users are directed to visit these sites. The SEO malware then hijacks the request handler and redirects the user’s browser to fake e-commerce sites.”
In addition to shopping fraud, postal users in the Balkan region have been targeted by failed delivery fraud, uses Apple iMessage to send messages, purporting to be from the postal service, instructing recipients to click on a link to enter personal and financial information to complete delivery.
“Victims will then be required to provide their personal information, including name, residential or business address and contact information, which cybercriminals will collect and use for future phishing attempts,” Group-IB. said.
“Of course, once victims pay, the money cannot be recovered and the cybercriminals become unreachable, resulting in the loss of both personal information and money.”
