Fake Discount Sites Exploit Black Friday to Hijack Shopper Information

A new phishing campaign is targeting e-commerce shoppers in Europe and the United States with bogus pages that mimic legitimate brands with the goal of stealing their personal information ahead of the Black Friday shopping season."The campaign leveraged the heightened online shopping activity in November, the peak season for Black Friday discounts. The threat actor used fake discounted products

featured-image

A new phishing campaign is targeting e-commerce shoppers in Europe and the United States with bogus pages that mimic legitimate brands with the goal of stealing their personal information ahead of the Black Friday shopping season. "The campaign leveraged the heightened online shopping activity in November, the peak season for Black Friday discounts. The threat actor used fake discounted products as phishing lures to deceive victims into providing their Cardholder Data (CHD) and Sensitive Authentication Data (SAD) and Personally Identifiable Information (PII)," EclecticIQ said .

The activity, first observed in early October 2024, has been attributed with high confidence to a Chinese financially motivated threat actor codenamed SilkSpecter. Some of the impersonated brands include IKEA, L.L.



Bean, North Face, and Wayfare. The phishing domains have been found to use top-level domains (TLDs) such as .top, .

shop, .store, and .vip, often typosquatting legitimate e-commerce organizations' domain names as a way to lure victims (e.

g., northfaceblackfriday[.]shop).

These websites promote non-existent discounts, while stealthily collecting visitor information. The phishing kit's flexibility and credibility is enhanced using a Google Translate component that dynamically modifies the website language based on the victims' geolocation markers. It also deploys trackers such as OpenReplay, TikTok Pixel, and Meta Pixel to keep tabs on the effectiveness of the attacks.

The end goal of the campaign is to capture any sensitive financial information entered by the users as part of fake orders, with the attackers abusing Stripe to process the transactions to give them an illusion of legitimacy, when, in reality, the credit card data is exfiltrated to servers under their control. What's more, victims are prompted to provide their phone numbers, a move that's likely motivated by the threat actor's plans to conduct follow-on smishing and vishing attacks to capture additional details, like two-factor authentication (2FA) codes. "By impersonating trusted entities, such as financial institutions or well-known e-commerce platforms, SilkSpecter could very likely circumvent security barriers, gain unauthorized access to victim's accounts, and initiate fraudulent transactions," EclecticIQ said.

It's currently not clear how these URLs are disseminated, but it's suspected to involve social media accounts and search engine optimization (SEO) poisoning. The findings come weeks after HUMAN's Satori Threat Intelligence and Research team detailed another sprawling and ongoing fraud operation dubbed Phish 'n' Ships that revolves around fake web shops that also abuse digital payment providers like Mastercard and Visa to siphon consumers' money and credit card information. The rogue scheme is said to be active since 2019, infecting over 1,000 legitimate sites to set up bogus product listings and use black hat SEO tactics to artificially boost the website's ranking in search engine results.

The payment processors have since blocked the threat actors' accounts, restricting their ability to cash out. "The checkout process then runs through a different web store, which integrates with one of four payment processors to complete the checkout," the company said . "And though the consumer's money will move to the threat actor, the item will never arrive.

" The use of SEO poisoning to redirect users to fake e-commerce pages is a widespread phenomenon. According to Trend Micro, such attacks involve installing SEO malware on compromised sites, which are then responsible for making sure the pages are surfaced on top of search engine results. "These SEO malware are installed into compromised websites to intercept web server requests and return malicious contents," the company noted .

"By doing so, threat actors can send a crafted sitemap to search engines and index generated lure pages." "This contaminates the search results, making the URLs of compromised websites appear in searches for product names they do not actually handle. Consequently, search engine users are directed to visit these sites.

The SEO malware then intercepts the request handler and redirects the user's browser to fake e-commerce sites." Outside of shopping-related fraud, postal service users in the Balkan region have become the target of a failed delivery scam that makes use of Apple iMessage to send messages claiming to be from the postal service, instructing recipients to click on a link to enter personal and financial information in order to complete the delivery. "The victims would then be required to provide their personal information including their name, residential or commercial address, and contact information, which the cybercriminals will harvest and use for future phishing attempts," Group-IB said .

"Undoubtedly, after the payment is made by the victims, the money is unrecoverable, and the cybercriminals become uncontactable, resulting in the loss of both personal information and money by their victims.".