Summary
In early October 2024, EclecticIQ analysts discovered a large-scale phishing campaign targeting e-commerce shoppers in Europe and the USA. This campaign, which capitalized on the heightened online shopping activity around Black Friday, is believed to have been orchestrated by a Chinese financially motivated threat actor, referred to as SilkSpecter. The campaign enticed victims with fake discounted Black Friday deals, designed to collect sensitive financial information, including cardholder data, and Personally Identifiable Information (PII).
The threat actor used sophisticated techniques such as the abuse of legitimate payment processor, Stripe, and dynamic website language translation, making the phishing sites appear highly credible. The SilkSpecter group is linked to previous campaigns, many of which utilized a Chinese SaaS platform known as oemapps to quickly deploy fake e-commerce websites. EclecticIQ analysts assess with high confidence that SilkSpecter’s tactics, infrastructure, and language markers strongly indicate the involvement of Chinese threat actors.
Community Impact
The SilkSpecter phishing campaign represents a sophisticated and well-coordinated effort by a financially-motivated Chinese threat actor to exploit the e-commerce boom surrounding Black Friday. Given the scale and sophistication of this campaign, it is imperative that RH-ISAC Core Members adopt enhanced security measures to defend against similar future threats, review the tactics, techniques, and procedures contained in this report and the original EclecticIQ report, and ingest the Indicators of Compromise provided below when feasible.
Analysis
The SilkSpecter phishing campaign was launched in anticipation of Black Friday 2024, leveraging the annual spike in online shopping activity. The threat actor targeted e-commerce consumers with fake websites promoting significant discounts, often as high as 80%. This social engineering tactic was designed to lure users into providing sensitive information, including credit card details, login credentials, and other personally identifiable data. The phishing sites appeared to offer legitimate deals and were highly convincing due to a combination of well-crafted fake product listings and the use of a reputable payment processor, Stripe.
EclecticIQ analysts have high confidence in attributing this campaign to a Chinese threat actor known as SilkSpecter. This attribution is supported by multiple indicators:
- Language Analysis: The phishing sites contained JavaScript code with comments written in Mandarin, suggesting involvement from Chinese-speaking developers. Additionally, the use of the “zh-CN” language tag in the HTML code strongly indicates that the sites were designed for Chinese-speaking individuals.
- Infrastructure Analysis: SilkSpecter’s infrastructure relied on servers and services commonly associated with Chinese organizations. This included the use of Chinese-hosted Content Delivery Networks (CDNs) for serving images, and reliance on a Chinese SaaS platform (oemapps) to quickly create and manage fake e-commerce sites. Additionally, over 89 IP addresses and more than 4,000 domains linked to phishing activities were traced to Chinese companies or Chinese-affiliated services.
- Domain Registration and Hosting: A significant portion of SilkSpecter’s phishing domains was registered through Chinese domain registrars, including West263 International Limited and Alibaba Cloud. While many of the phishing sites were obscured through Cloudflare to mask their origin, the underlying infrastructure still pointed to China as the likely base of operations.
Indicators of Compromise
The following indicators of compromise were provided by EclecticIQ researchers and are highly recommended for ingestion:
587b05cd8d59f9820d2cf168b07d46b1519d12ee7a2f7062a2490da0a99ccb50
9a049fe87fe472bd6e2a9f361b78a64576be9f827f9668af69bec03f5cbef0da
northfaceblackfriday[.]shop
lidl-blackfriday-eu[.]shop
bbw-blackfriday[.]shop
llbeanblackfridays[.]shop
dopeblackfriday[.]shop
wayfareblackfriday[.]com
makitablackfriday[.]shop
blackfriday-shoe[.]top
eu-blochdance[.]shop
ikea-euonline[.]com
gardena-eu[.]com
