How does SilkSpecter mask fraudulent sites so plausibly?
Researchers from EclecticIQ have identified a large-scale phishing campaign targeting discount lovers in the run-up to Black Friday. According to their estimates, the Chinese group SilkSpecter, which pursues financial goals, is behind the attacks. The campaign covers the U.S. and Europe, using enticing offers with deep discounts to collect users' personal data and payment information.
The attack was aimed at stealing bank card data, which was made possible by the use of a legitimate Stripe processor. SilkSpecter used this platform to process real payments while stealing data. The site looked as believable as possible, and the language automatically adjusted to the user's location using Google Translate.
SilkSpecter has previously carried out similar attacks. The sites were created using the domains ".top", ".shop", ".store" and ".vip", masquerading as legitimate online stores. Each phishing site had built-in trackers and tracking pixels (OpenReplay, TikTok Pixel, Meta Pixel) that monitored visitor activity.
To give the sites a trustworthy appearance, the attackers added the "trusttollsvg" icon and also used covert data collection using "/homeapi/collect" to record visits. The collected information was sent to servers controlled by SilkSpecter.
The infrastructure of the attacks in question was built on Chinese servers and used hosting from Chinese providers. Analysts noted that SilkSpecter actively uses domains registered through Chinese registrars such as West263 and Cloud Yuqu LLC. About 85% of IP addresses were routed through Cloudflare, which helped hide the real location of the attackers.
As one of the protection measures, experts recommend using virtual bank cards for online purchases and limiting transaction limits. This can reduce the risk of data theft if compromised.
Source
Researchers from EclecticIQ have identified a large-scale phishing campaign targeting discount lovers in the run-up to Black Friday. According to their estimates, the Chinese group SilkSpecter, which pursues financial goals, is behind the attacks. The campaign covers the U.S. and Europe, using enticing offers with deep discounts to collect users' personal data and payment information.
The attack was aimed at stealing bank card data, which was made possible by the use of a legitimate Stripe processor. SilkSpecter used this platform to process real payments while stealing data. The site looked as believable as possible, and the language automatically adjusted to the user's location using Google Translate.
SilkSpecter has previously carried out similar attacks. The sites were created using the domains ".top", ".shop", ".store" and ".vip", masquerading as legitimate online stores. Each phishing site had built-in trackers and tracking pixels (OpenReplay, TikTok Pixel, Meta Pixel) that monitored visitor activity.
To give the sites a trustworthy appearance, the attackers added the "trusttollsvg" icon and also used covert data collection using "/homeapi/collect" to record visits. The collected information was sent to servers controlled by SilkSpecter.
The infrastructure of the attacks in question was built on Chinese servers and used hosting from Chinese providers. Analysts noted that SilkSpecter actively uses domains registered through Chinese registrars such as West263 and Cloud Yuqu LLC. About 85% of IP addresses were routed through Cloudflare, which helped hide the real location of the attackers.
As one of the protection measures, experts recommend using virtual bank cards for online purchases and limiting transaction limits. This can reduce the risk of data theft if compromised.
Source
