Cybersecurity researchers at EclecticIQ have uncovered a sophisticated phishing operation orchestrated by the Chinese threat actor group SilkSpecter, involving over 4,695 fraudulent e-commerce websites. The campaign, launched in October 2024, specifically targets consumers in the United States and Europe by exploiting the Black Friday shopping season.
Sophisticated Impersonation Techniques Target Major Retail Brands
The threat actors have demonstrated remarkable sophistication in creating convincing replicas of established retail websites, including The North Face, IKEA, and Lidl. These fraudulent sites employ advanced social engineering tactics, including legitimate-looking Stripe payment integration and automated content translation through Google Translate based on visitor location, significantly enhancing their credibility.
Technical Infrastructure and Attack Indicators
Analysis reveals distinct patterns in the fraudulent infrastructure, with websites primarily using non-traditional domain extensions such as .shop, .store, .vip, and .top. The attackers have implemented sophisticated tracking mechanisms, including OpenReplay, TikTok Pixel, and Meta Pixel analytics tools, enabling them to monitor victim behavior and refine their attack strategies.
Data Theft Methodology
The operation employs a multi-stage attack vector where victims are redirected to sophisticated payment portals designed to harvest comprehensive payment card information and phone numbers. The collected phone numbers serve a dual purpose, potentially facilitating future attacks aimed at circumventing two-factor authentication systems. All exfiltrated data is transmitted to command-and-control servers managed by the threat group.
Attribution and Technical Evidence
Technical analysis strongly indicates Chinese origin, supported by multiple indicators including the use of China-based IP addresses and ASNs, domain registration patterns through Chinese registrars, distinctive code signatures, and previous associations with Chinese SaaS platform oemapps. These technical markers align with known SilkSpecter operational patterns.
This unprecedented phishing campaign represents a significant evolution in cyber threats targeting e-commerce consumers. Security experts recommend implementing robust verification procedures for online purchases, particularly during major shopping events. Essential protective measures include verifying website authenticity through official URLs, scrutinizing unusual discount offers, and utilizing secure payment methods such as virtual credit cards or verified payment processors. Organizations and consumers must maintain heightened vigilance as cyber threats continue to evolve in sophistication and scale.
