SilkSpecter, a Chinese threat actor, launched a phishing campaign in early October 2024, targeting European and American e-commerce shoppers seeking Black Friday deals. The attackers used fake discounted products to trick victims into revealing sensitive financial and personal information.
Stripe’s legitimate payment processing capabilities were exploited by a threat actor in order to steal Cardholder Data (CHD) from victims who were otherwise unaware of the situation.
By disguising malicious activity within genuine transactions and employing IP-based language adaptation, the attackers successfully deceived a wider range of potential targets.
It leverages the oemapps SaaS platform to rapidly construct convincing phishing sites, primarily targeting e-commerce users with .top, .shop, .store, and .vip TLDs, often employing typosquatting techniques.
Researchers identified a pattern in Black Friday-themed phishing domains linked to SilkSpecter, which used deceptive “trusttollsvg” icons and “/homeapi/collect” endpoints to track victim interactions, allowing real-time monitoring of campaign success.
The SilkSpecter phishing kit employed a Black Friday theme to lure victims, which tracked user activity with OpenReplay, TikTok Pixel, and Meta Pixel, captured browser metadata, and dynamically translated content using Google Translate APIs to enhance its authenticity and effectiveness.
It’s phishing campaign exploited Stripe to steal victims’ PII, financial data, and phone numbers, potentially enabling further attacks like vishing and smishing and facilitating unauthorized access to victims’ accounts for financial fraud.
The phishing site, disguised as a legitimate retailer, covertly records user payment sessions and exfiltrates sensitive banking details to an attacker-controlled server, leveraging Stripe’s APIs while employing social engineering tactics like Black Friday discounts to lure victims.
EclecticIQ analysts attribute phishing campaigns to Chinese threat actor SilkSpecter based on Mandarin comments in JavaScript code and “zh-CN” language tags in HTML, indicating development by Chinese-speaking individuals.
By leveraging Chinese-hosted CDN servers and SaaS platform oemapps to deploy phishing infrastructure, it utilizes multiple IP addresses and domains linked to Chinese entities to conduct widespread phishing attacks.
The operations of SilkSpecter are frequently concealed through the utilization of Chinese domain registrars such as West263, Hong Kong Kouming, Cloud Yuqu, and Alibaba Cloud.
Monitor URLs for phishing attacks with a Black Friday theme, paying particular attention to specific patterns and indicators of compromise (IOCs) associated with SilkSpecter.
Detect suspicious network traffic to ASNs linked to Chinese entities, potentially indicating malicious activity, and employ virtual cards and payment restrictions to minimize the attack surface and protect against financial fraud.
