Chinese hacker group SilkSpecter launched a phishing campaign targeting Black Friday shoppers in Europe and the USA, using Stripe to steal card data while allowing legitimate transactions.
SilkSpecter’s Phishing Campaign
The threat actor used the Chinese SaaS platform oemapps to quickly create fake e-commerce sites that adjusted language based on the victim’s IP location. These phishing sites, often mimicking legitimate domains, used deceptive TLDs like .top, .shop, .store, and .vip to steal sensitive information.
Analysts found a pattern in Black Friday phishing domains linked to SilkSpecter, marked by a fake ‘trusttollsvg’ icon and a ‘/homeapi/collect’ endpoint.
The “trusttollsvg” icon was used to imitate trusted sites, while the “/homeapi/collect” endpoint tracked victim interactions in real time.
By spotting these signs, analysts found more discount-themed phishing domains tied to SilkSpecter’s campaign. The phishing kit used a multi-layered approach, combining Black Friday themes, dynamic language translation, and website trackers to create a realistic appearance.
Stolen data, including personal info, banking details, and phone numbers, was sent to attacker-controlled servers. Stripe was used to process real transactions, with the stolen data potentially exploited in follow-up attacks like vishing or smishing.
SilkSpecter used a sophisticated phishing scheme to target online shoppers, mimicking legitimate platforms to steal financial data. The stolen card details were sent to a remote server via Stripe’s APIs, bypassing security. The attackers likely used social media and SEO tactics to spread phishing links, taking advantage of Black Friday promotions.
EclecticIQ’s research team notes that SilkSpecter, a likely Chinese threat actor, uses Mandarin-language code in their phishing pages, suggesting Chinese-speaking developers.
SilkSpecter relies on Chinese CDNs and SaaS platforms like oemapps, linked to over 89 IPs and 4,000 domains, many tied to Chinese ASNs, confirming the attribution. They mask operations using Chinese domain registrars and Cloudflare.
To reduce risks, monitor URLs with keywords like “discount,” “Black Friday,” or “/homeapi/collect,” and flag domains with “trusttollsvg.” Track network traffic from ASNs 24429, 140227, 3824, 139021, and 45102 for suspicious activity. For individual protection, use virtual cards and set spending limits.
Follow Us on: Twitter, Instagram, Facebook to get the latest security news!
Leave A Comment