Thousands of Fake Shopping Sites Launched to Steal Credit Card Data During Black Friday

A new fraud campaign led by the Chinese threat actor SilkSpecter is leveraging 4,700 fake e-commerce websites to steal payment card details and personal information. These sites mimic popular brands and utilize legitimate payment processors like Stripe to deceive victims. 

Threat Actor Details:

• The Chinese group SilkSpecter is behind the campaign.
• Operates 4,695 fake domains targeting U.S. and European shoppers.

Targets and Tactics:

• Impersonates major brands like North Face, IKEA, Lidl, and more.
• Promotes Black Friday discounts to lure unsuspecting buyers.
• Utilizes legitimate payment processors (e.g., Stripe) for credibility.

Phishing and Data Theft:

• Collects credit/debit card details, expiration dates, CVV codes, and phone numbers.
• Information is sent to attacker-controlled servers for misuse.
• Uses phone numbers for subsequent voice or SMS phishing.

Technical Tools and Indicators:

• Domains commonly use ".shop," ".store," ".vip," or ".top" extensions.
• Leverages Google Translate for language adjustments based on victim location.
• Tracks visitor behavior using tools like OpenReplay, TikTok Pixel, and Meta Pixel.

Attribution and Evidence:

• Indicators of Chinese origin include IP addresses, ASNs, domain registrars, and code.
• Previously used Chinese SaaS platforms for operations.

Safety Recommendations for Shoppers:

• Shop only on official brand websites.
• Avoid clicking on ads, social media links, or unverified search results.
• Use multi-factor authentication and monitor financial account activity regularly.