Threat Research

Inside the Intelligence Center: Financially Driven Chinese Threat Actor SilkSpecter Targeting Black Friday Shoppers

Securonix

Summary:

In October 2024, EclecticIQ analysts identified a phishing campaign targeting e-commerce shoppers in Europe and the USA, attributed to a Chinese threat actor known as SilkSpecter. The campaign exploited Black Friday shopping trends, using fake discounts to steal sensitive information, including Cardholder Data (CHD) and Personally Identifiable Information (PII), through deceptive phishing sites that mimicked legitimate e-commerce platforms.

Keypoints:

  • SilkSpecter targeted e-commerce shoppers during the Black Friday season.
  • The phishing campaign utilized fake discounted products to lure victims.
  • Legitimate payment processor Stripe was abused to process transactions while exfiltrating sensitive data.
  • Phishing sites dynamically adjusted language using Google Translate to appear credible.
  • SilkSpecter previously launched similar campaigns linked to a Chinese SaaS platform, oemapps.
  • Phishing domains often used .top, .shop, .store, and .vip TLDs, including typosquatting tactics.
  • Indicators such as “trusttollsvg” icons and “/homeapi/collect” endpoints were used to track victim interactions.
  • The phishing kit included trackers like OpenReplay, TikTok Pixel, and Meta Pixel to monitor attack effectiveness.
  • Victims were prompted for phone numbers, potentially leading to further attacks like vishing and smishing.
  • SilkSpecter’s infrastructure was linked to Chinese domain registrars and CDNs.

    • MITRE Techniques

  • Phishing (T1566): Utilizes fake e-commerce sites to deceive victims into providing sensitive information.
  • Exploitation of Remote Services (T1210): Abuses legitimate payment services (Stripe) to process transactions and exfiltrate data.
  • Command and Control (T1071): Uses multiple command and control domains to maintain communication with compromised systems.
  • Data from Information Repositories (T1213): Collects sensitive data such as CHD and PII from victims.

    • IoC:

  • [domain] northfaceblackfriday.shop
  • [domain] lidl-blackfriday-eu.shop
  • [domain] bbw-blackfriday.shop
  • [domain] llbeanblackfridays.shop
  • [domain] dopeblackfriday.shop
  • [domain] wayfareblackfriday.com
  • [domain] makitablackfriday.shop
  • [domain] blackfriday-shoe.top
  • [domain] eu-blochdance.shop
  • [domain] ikea-euonline.com
  • [domain] gardena-eu.com
  • [url] longnr[.]com/payment/event-log[.]php
  • [file hash] 587b05cd8d59f9820d2cf168b07d46b1519d12ee7a2f7062a2490da0a99ccb50
  • [file hash] 9a049fe87fe472bd6e2a9f361b78a64576be9f827f9668af69bec03f5cbef0da

    • Full Research: https://blog.eclecticiq.com/inside-intelligence-center-financially-motivated-chinese-threat-actor-silkspecter-targeting-black-friday-shoppers

    Tags: full, PHISHING, MONITOR