A sophisticated phishing campaign has emerged, targeting online shoppers in Europe and the United States by exploiting the busy shopping season ahead of Black Friday. The operation, attributed to a Chinese threat group known as SilkSpecter, uses fake e-commerce websites that impersonate popular brands to steal sensitive financial and personal information from unsuspecting victims.
These fraudulent sites promote enticing discounts to lure users into providing their cardholder details, authentication data, and personally identifiable information.
The attackers have created websites that mimic trusted brands such as IKEA, L.L.Bean, North Face, and Wayfare. These fake domains often use top-level domains like [.]top, [.]shop, [.]store, and [.]vip to appear legitimate.
The websites employ Google Translate to automatically change their language according to the user’s location in order to increase credibility and create the appearance of genuine international business operations. In order to track user interactions and maximise the campaign’s effectiveness, tracking tools like OpenReplay, TikTok Pixel, and Meta Pixel are also used.
The phishing campaign steals the financial data of online shoppers and uses phone numbers for further attacks.
The phishing campaign’s primary objective is to gather sensitive financial data under the guise of completing online purchases. The threat actors process transactions through Stripe to appear legitimate while surreptitiously exfiltrating credit card information to servers they control. Victims are also prompted to provide their phone numbers, which the attackers likely use for follow-up smishing and vishing attacks to extract additional details, such as two-factor authentication codes.
A key tactic in this operation involves manipulating search engine results through SEO poisoning. This method redirects users to fraudulent websites by injecting malware into compromised legitimate sites, ensuring that the fake pages appear prominently in search results. This technique contaminates search engines, steering users towards malicious sites under the guise of genuine deals.
The campaign shares similarities with other scams, such as the Phish’ n’ Ships operation, active since 2019. This scheme also abuses payment platforms like Mastercard and Visa to steal money under the pretext of selling non-existent products. Victims of these scams often lose money with no solution, as the attackers become untraceable once transactions are completed.
These incidents highlight the need for vigilance during the online shopping season. Online shoppers are urged to verify the legitimacy of websites, avoid clicking on unsolicited links, and exercise caution when encountering suspicious offers or unfamiliar domains.