A cunning phishing operation has surfaced, strategically targeting online consumers in Europe and the U.S. by deploying fraudulent websites that mimic reputable brands. The campaign aims to harvest sensitive personal data, capitalizing on the Black Friday shopping frenzy.
“Exploiting the surge in online shopping during November, this campaign manipulates the allure of Black Friday discounts to dupe unsuspecting individuals into disclosing their Cardholder Data (CHD), Sensitive Authentication Data (SAD), and Personally Identifiable Information (PII),” reported EclecticIQ.
This malicious activity, first detected in October 2024, has been confidently attributed to SilkSpecter, a financially driven threat group believed to operate out of China. Brands like IKEA, L.L.Bean, The North Face, and Wayfair are among those impersonated in this fraudulent endeavor.
Manipulated Domains and False Promises
The perpetrators craft deceptive web addresses using top-level domains (TLDs) such as .top, .shop, .store, and .vip, employing typosquatting tactics to imitate legitimate e-commerce websites (e.g., northfaceblackfriday[.]shop). These pages lure victims with fictitious discounts while surreptitiously extracting sensitive information.
The phishing kit’s adaptability is further enhanced by a Google Translate feature, which dynamically adjusts the site’s language based on the victim’s geolocation. Additionally, surveillance tools like OpenReplay, TikTok Pixel, and Meta Pixel are deployed to monitor and refine the attack’s efficacy.
Financial Deception Masked in Legitimacy
The ultimate objective is to intercept sensitive financial details entered by users during fake purchase transactions. By exploiting Stripe to process payments, attackers create an illusion of legitimacy while covertly siphoning credit card data to their own servers.
Victims are also prompted to provide their phone numbers—a likely precursor to follow-up smishing (SMS phishing) and vishing (voice phishing) schemes aimed at extracting further details such as two-factor authentication (2FA) codes.
“By mimicking trusted institutions and renowned retail platforms, SilkSpecter has the potential to bypass security measures, gain unauthorized access to user accounts, and initiate fraudulent financial activities,” EclecticIQ explained.
Dissemination Methods and Broader Threats
While the exact method of distributing these fraudulent URLs remains uncertain, it is suspected to involve social media manipulation and search engine optimization (SEO) poisoning. This tactic has proven effective in redirecting users to counterfeit e-commerce pages.
A related investigation by HUMAN’s Satori Threat Intelligence and Research team uncovered a sprawling fraud campaign, dubbed Phish ‘n’ Ships, which employs similar techniques. Active since 2019, this scheme has infected over 1,000 legitimate websites, leveraging black hat SEO strategies to elevate the visibility of fake product listings.
The SEO Poisoning Mechanism
Such attacks frequently involve the implantation of SEO malware on compromised sites. This malware intercepts server requests and injects malicious content, enabling the creation of deceptive sitemaps designed to manipulate search engine indexing.
“These actions contaminate search results, causing URLs of compromised websites to appear in searches for products they don’t actually offer,” noted Trend Micro. “Once users click on these results, they are redirected to counterfeit e-commerce platforms designed to harvest their information.”
Additional Scams: Beyond E-Commerce
Outside of shopping fraud, postal service users in the Balkans are being targeted with a failed delivery scam propagated via Apple iMessage. The scam masquerades as official communication from postal services, urging recipients to click a link and provide personal and financial data to resolve delivery issues.
“Victims are coaxed into disclosing their personal details, including names, addresses, and contact numbers, which are later exploited for subsequent phishing attempts,” stated Group-IB. “Once payments are made, victims find themselves unable to recover their funds or contact the fraudsters, resulting in both financial and personal data losses.”
Conclusion
This surge in fraudulent activity underlines the critical importance of vigilance during the shopping season. As cybercriminals refine their methods to exploit consumer trust, understanding the risks and adopting robust security measures remain paramount.