Scrooge appears to be hard at work before this holiday season officially starts. A week before Black Friday officially starts, shopping these deals has become dangerous. Cybercriminals have launched a phishing campaign with fake websites, designed to steal Black Friday shoppers’ information.
Black Friday Phishing Campaign
Starting as far back as early October, analysts at EclecticIQ started noticing a phishing campaign. It appears to be aimed at Black Friday shoppers in the United States and Europe. The same analysts believe Chinese cybercriminals, nicknamed SilkSpecter, are behind it, looking to cash in.
SilkSpecter is using fake, discounted products in this phishing scam to attract Black Friday shoppers and convince them to provide their cardholder data (CHD), Sensitive Authentication Data (SAD), and Personally Identifiable Information (PII).
When shoppers enter their information, the attackers steal the CHD via the Stripe payment process. The CHD is sent to a server controlled by SilkSpecter. Google Translate is used to make the language on the sites more credible, adjusting it for the IP locations of the victims.
It turns out this isn’t SilkSpecter’s first entry into the fake e-commerce sites space. They have set up similar phishing campaigns. All of them have been linked to a Chinese SaaS that analysts believe allows them to quickly create these sites. Most of the sites use domains with .top, .hip, .store, and .vip.
Good to know: you also need to look out for a “Your package cannot be delivered” text.
Discovery of the Black Friday Phishing Pattern
A pattern was noticed by analysts through the fake Black Friday phishing domains, and it was decided they can mostly all be linked back to SilkSpecter.
Each page included the “trusttollsvg” icon that made it appear to be a normal trusted site. Additionally, these pages all had a “homeapi/collect” endpoint. This would notify the cyberattackers when a URL was clicked or opened by a victim, who was lured there by a promising Black Friday discount.
Various website trackers were set off once someone landed on a phishing page looking for a Black Friday deal. The trackers kept watch on the effectiveness of the phishing campaign as it collected PII, CHD, SAD data from unsuspecting shoppers using Stripe. Among the info collected was IP addresses, geolocation, browser type, and OS.
Additionally, victims of this phishing attack were asked to supply their phone numbers. It’s assumed that this information would also be exploited. The phone numbers could then be used for voice phishing or SMS phishing, pushing the victims to reveal other details, such as 2FA codes, identification details, and possibly account credentials.
It’s believed that SilkSpecter passed the phishing URLs around through social media accounts and SEO poisoning, baiting victims with Black Friday discounts.
Luckily, you don’t have to fall victims to the Black Friday phishing attack. Don’t access unknown websites, no matter how promising the deals sound. Stick to Amazon and other well-known sites. And, as always, you can stay tuned to Make Tech Easier, as we will be publishing some of the best Black Friday tech deals.
Image credit: All images by Canva and Image Playground.
