A brand new phishing marketing campaign is focusing on e-commerce customers in Europe and the US with bogus pages that mimic professional manufacturers with the aim of stealing their private info forward of the Black Friday procuring season.
“The campaign leveraged the heightened online shopping activity in November, the peak season for Black Friday discounts. The threat actor used fake discounted products as phishing lures to deceive victims into providing their Cardholder Data (CHD) and Sensitive Authentication Data (SAD) and Personally Identifiable Information (PII),” EclecticIQ stated.
The exercise, first noticed in early October 2024, has been attributed with excessive confidence to a Chinese language financially motivated menace actor codenamed SilkSpecter. Among the impersonated manufacturers embrace IKEA, L.L.Bean, North Face, and Wayfare.
The phishing domains have been discovered to make use of top-level domains (TLDs) equivalent to .prime, .store, .retailer, and .vip, typically typosquatting professional e-commerce organizations’ domains as a option to lure victims (e.g., northfaceblackfriday[.]store). These web sites promote non-existent reductions, whereas stealthily accumulating customer info.
The phishing equipment’s flexibility and credibility is enhanced utilizing a Google Translate part that dynamically modifies the web site language based mostly on the victims’ geolocation markers. It additionally deploys trackers equivalent to OpenReplay, TikTok Pixel, and Meta Pixel to maintain tabs on the effectiveness of the assaults.
The top aim of the marketing campaign is to seize any delicate monetary info entered by the customers as a part of faux orders, with the attackers abusing Stripe to course of the transactions to provide them an phantasm of legitimacy, when, in actuality, the bank card information is exfiltrated to servers beneath their management.
What’s extra, victims are prompted to supply their telephone numbers, a transfer that is seemingly motivated by the menace actor’s plans to conduct follow-on smishing and vishing assaults to seize extra particulars, like two-factor authentication (2FA) codes.
“By impersonating trusted entities, such as financial institutions or well-known e-commerce platforms, SilkSpecter could very likely circumvent security barriers, gain unauthorized access to victim’s accounts, and initiate fraudulent transactions,” EclecticIQ stated.
It is at the moment not clear how these URLs are disseminated, however it’s suspected to contain social media accounts and SEO (website positioning) poisoning.
The findings come weeks after HUMAN’s Satori Risk Intelligence and Analysis crew detailed one other sprawling and ongoing fraud operation dubbed Phish ‘n’ Ships that revolves round faux internet outlets that additionally abuse digital fee suppliers like Mastercard and Visa to siphon customers’ cash and bank card info.
The rogue scheme is claimed to be energetic since 2019, infecting over 1,000 professional websites to arrange bogus product listings and use black hat website positioning techniques to artificially enhance the web site’s rating in search engine outcomes. The fee processors have since blocked the menace actors’ accounts, proscribing their potential to money out.
“The checkout process then runs through a different web store, which integrates with one of four payment processors to complete the checkout,” the corporate stated. “And though the consumer’s money will move to the threat actor, the item will never arrive.”
Using website positioning poisoning to redirect customers to faux e-commerce pages is a widespread phenomenon. In keeping with Pattern Micro, such assaults contain putting in website positioning malware on compromised websites, that are then chargeable for ensuring the pages are surfaced on prime of search engine outcomes.
“These SEO malware are installed into compromised websites to intercept web server requests and return malicious contents,” the corporate famous. “By doing so, threat actors can send a crafted sitemap to search engines and index generated lure pages.”
“This contaminates the search results, making the URLs of compromised websites appear in searches for product names they do not actually handle. Consequently, search engine users are directed to visit these sites. The SEO malware then intercepts the request handler and redirects the user’s browser to fake e-commerce sites.”
Exterior of shopping-related fraud, postal service customers within the Balkan area have change into the goal of a failed supply rip-off that makes use of Apple iMessage to ship messages claiming to be from the postal service, instructing recipients to click on on a hyperlink to enter private and monetary info as a way to full the supply.
“The victims would then be required to provide their personal information including their name, residential or commercial address, and contact information, which the cybercriminals will harvest and use for future phishing attempts,” Group-IB stated.
“Undoubtedly, after the payment is made by the victims, the money is unrecoverable, and the cybercriminals become uncontactable, resulting in the loss of both personal information and money by their victims.”