Man
Professional
- Messages
- 3,077
- Reaction score
- 614
- Points
- 113
EclecticIQ researchers have discovered that the Chinese hack group SilkSpecter has created more than 4000 bogus online stores focused on stealing the bank card data of users from the United States and Europe.
This campaign, which involved a total of 4695 domains, was launched in October 2024, and users were offered large discounts in the run-up to Black Friday, when there is usually increased buying activity.
The attackers' sites impersonate well-known brands, including: The North Face, Lidl, Bath & Body Works, L.L. Bean, Wayfair, Makita, IKEA, and Gardena. Also, in many cases, domain names will catch the string "Black Friday", meaning the campaign is clearly aimed at buyers looking for discounts.
Researchers note that SilkSpecter's sites are well-designed and appear authentic at first glance. However, they use top-level domains in the .shop, .store, .vip, and .top zones, which are not associated with large brands and trusted stores. Also, depending on the location of the victim, sites use Google Translate for automatic translation.
Moreover, the real Stripe payment system is integrated into phishing stores, which adds visible legitimacy to them, but does not prevent attackers from stealing bank card information.
According to experts, SilkSpecter uses tracking tools such as OpenReplay, TikTok Pixel, and Meta Pixel on its sites. They help track visitor behavior, allowing hackers to adjust their tactics to improve efficiency.
When a user tries to make a purchase on such a site, they are redirected to a payment page where they are asked to enter their credit card number, expiration date, and CVV code. In the last step of "checkout", a phone number is also requested.
Researchers believe that hackers collect phone numbers for later use in phishing attacks, which will be needed to bypass two-factor authentication when using a stolen card.
That is, SilkSpecter not only embezzles money for the victim's order by abusing Stripe, but also steals the bank card data entered by users, which is eventually transmitted to a server controlled by the attackers.
According to experts, the connection of the SilkSpecter group with China is indicated by the use of Chinese IP addresses and ASNs, Chinese domain registrars, as well as the presence of relevant linguistic features in the code and the fact that the attackers previously used the Chinese SaaS platform oemapps.
Source
This campaign, which involved a total of 4695 domains, was launched in October 2024, and users were offered large discounts in the run-up to Black Friday, when there is usually increased buying activity.
The attackers' sites impersonate well-known brands, including: The North Face, Lidl, Bath & Body Works, L.L. Bean, Wayfair, Makita, IKEA, and Gardena. Also, in many cases, domain names will catch the string "Black Friday", meaning the campaign is clearly aimed at buyers looking for discounts.
Researchers note that SilkSpecter's sites are well-designed and appear authentic at first glance. However, they use top-level domains in the .shop, .store, .vip, and .top zones, which are not associated with large brands and trusted stores. Also, depending on the location of the victim, sites use Google Translate for automatic translation.
Moreover, the real Stripe payment system is integrated into phishing stores, which adds visible legitimacy to them, but does not prevent attackers from stealing bank card information.
According to experts, SilkSpecter uses tracking tools such as OpenReplay, TikTok Pixel, and Meta Pixel on its sites. They help track visitor behavior, allowing hackers to adjust their tactics to improve efficiency.
When a user tries to make a purchase on such a site, they are redirected to a payment page where they are asked to enter their credit card number, expiration date, and CVV code. In the last step of "checkout", a phone number is also requested.
Researchers believe that hackers collect phone numbers for later use in phishing attacks, which will be needed to bypass two-factor authentication when using a stolen card.
That is, SilkSpecter not only embezzles money for the victim's order by abusing Stripe, but also steals the bank card data entered by users, which is eventually transmitted to a server controlled by the attackers.
According to experts, the connection of the SilkSpecter group with China is indicated by the use of Chinese IP addresses and ASNs, Chinese domain registrars, as well as the presence of relevant linguistic features in the code and the fact that the attackers previously used the Chinese SaaS platform oemapps.
Source
