Security Advisory: Phishing Campaign Targets Black Friday Shoppers

As Black Friday approaches, a new phishing campaign has emerged, targeting online shoppers in Europe and the United States. This campaign, attributed to a Chinese threat actor codenamed SilkSpecter, leverages fake e-commerce websites mimicking legitimate brands such as IKEA, L.L.Bean, North Face, and Wayfair. The attackers aim to steal sensitive financial and personal information by luring victims with fraudulent discount offers.

First observed in October 2024, the campaign is designed to exploit the increased online shopping activity during November. The fraudulent sites are crafted to appear credible, utilizing dynamic language adaptation based on user geolocation and legitimate payment processing systems to gain user trust.

Phishing Campaign Targets Black Friday Shoppers Technical Overview

Key Features of the Campaign:

• Phishing Lures: Fake discounted products and promotions.
• Targeted Information: Cardholder Data (CHD), Sensitive Authentication Data (SAD), and Personally Identifiable Information (PII).
• Domain Types: Phishing domains using TLDs such as .top, .shop, .store, and .vip that closely resemble legitimate retailers.

Attack Techniques:

1. Dynamic Language Adaptation: Using a Google Translate component, the phishing sites automatically adjust their language based on the victim’s location.
2. Malicious Trackers: Tools like OpenReplay, TikTok Pixel, and Meta Pixel are embedded to monitor victim interactions and refine the attack.
3. Fraudulent Payment Processing: Attackers exploit legitimate payment processors like Stripe to exfiltrate credit card details while maintaining the illusion of a legitimate transaction.
4. Smishing and Vishing Follow-Up: Victims are prompted to provide their phone numbers, enabling subsequent attacks via SMS or voice calls to steal further credentials, including two-factor authentication codes.

SEO Poisoning:
The campaign also leverages SEO poisoning tactics, compromising legitimate websites to push phishing sites higher in search engine results. This increases the likelihood of unsuspecting users clicking on malicious links.

What Our Threat Intelligence Team is Seeing

Impact

Successful exploitation can lead to:

• Financial Losses: Unauthorized transactions using stolen credit card details.
• Identity Theft: Misuse of captured PII for further fraudulent activities.
• Compromise of User Accounts: Follow-on smishing and vishing attacks to bypass security measures like 2FA.

What We Suggest to Protect Against Phishing Campaign Targeting Black Friday Shoppers

1. Verify Website Authenticity:

• Avoid clicking on promotional links from unsolicited emails or messages.
• Manually enter the retailer’s official website URL into your browser.

2. Use Secure Payment Methods:

• Prefer virtual credit cards or payment services that offer additional security layers.
• Monitor financial statements for any unauthorized transactions.

3. Strengthen Cybersecurity Defenses:

• Use up-to-date anti-phishing tools and browser security extensions.
• Enable multi-factor authentication (MFA) on all sensitive accounts.

4. Be Cautious of Follow-Up Communications:

• Treat any unexpected SMS or phone calls requesting sensitive information as suspicious.
• Report and block suspected phishing attempts immediately.

5. Stay Informed:

• Educate employees and consumers on identifying phishing websites and suspicious payment prompts.
• Remain vigilant during peak shopping seasons, as threat actors often capitalize on high online traffic.