top of page

Chinese Cybercrime Group "SilkSpecter" Targets Holiday Shoppers with Sophisticated Fraud Campaign

As holiday shopping ramps up, a financially motivated Chinese cybercrime group dubbed "SilkSpecter" is orchestrating a large-scale phishing campaign aimed at stealing payment card details from online shoppers in the United States and Europe. The operation, which began in October 2024, capitalizes on the Black Friday shopping frenzy, offering too-good-to-be-true deals on counterfeit online stores impersonating well-known brands.

A Network of Fraudulent Stores

EclecticIQ threat researcher Arda Buyukkaya revealed that SilkSpecter is operating nearly 4,700 fraudulent domains, each meticulously crafted to mimic brands such as The North Face, IKEA, Lidl, and Wayfair. Many of these sites include “Black Friday” in their domain names to attract bargain hunters searching for deals during the holiday season.

While the websites are visually convincing, they use less conventional top-level domains such as .shop, .store, and .vip, which are typically not associated with reputable brands. Compounding the deception, the sites integrate Google Translate to match the victim’s language based on their location, enhancing the appearance of authenticity.

The sophistication extends to the payment process. The sites incorporate Stripe, a legitimate payment processor, lending further credibility to the scam while covertly exfiltrating users’ credit card details to attacker-controlled servers. In addition to stealing money directly through fake transactions, SilkSpecter harvests data like phone numbers, potentially to execute follow-up voice or SMS phishing attacks targeting two-factor authentication (2FA) protections.

Tracking and Manipulation

SilkSpecter employs tracking tools such as OpenReplay, TikTok Pixel, and Meta Pixel to monitor victim behavior on their fraudulent sites. These tools allow the attackers to refine their tactics and potentially enhance the success of their operations. As victims enter their card details—including CVV codes and expiration dates—the information is siphoned off in real time to remote servers.

EclecticIQ attributes the operation to Chinese threat actors based on linguistic evidence in the sites’ code, the use of Chinese IP addresses, and the group’s reliance on a Chinese Software-as-a-Service platform, "oemapps," before transitioning to Stripe.

Expert Insights and Recommendations

“This fraud campaign executed by SilkSpecter is a prime example of the danger of online shopping without exercising proper awareness,” says Max Gannon, Cyber Intelligence Team Manager at Cofense. “As the holiday season approaches, the stakes are even higher for online shoppers. Threat actors increasingly deploy tactics like the use of fake sites and brand impersonation. These tactics exploit the trust that individuals place in legitimate companies.”

Gannon highlights another growing concern: malicious URLs appearing in promoted Google search results. "This features malicious websites in the search results before legitimate ones," he warns, underscoring the need for heightened vigilance.

To protect against these threats, experts recommend the following precautions:

  1. Verify Website Authenticity: Always confirm that the website URL matches the official retailer's domain before entering any personal or financial information.

  2. Avoid Links in Ads and Social Media: Navigate directly to a retailer’s website rather than clicking on links in ads or search engine results.

  3. Monitor Financial Accounts: Regularly check credit card and bank statements for unauthorized transactions.

  4. Activate Multi-Factor Authentication: Strengthen account security by enabling 2FA wherever possible.

A Holiday Threat Landscape

SilkSpecter’s fraud campaign exemplifies the growing sophistication of cyber threats during peak shopping periods. By combining brand impersonation, advanced payment integration, and real-time behavioral tracking, the group has crafted an operation that is both effective and difficult to detect.

As online shopping continues to dominate consumer habits, the importance of cybersecurity awareness cannot be overstated. “To stay safe online, individuals should exercise extra caution,” Gannon advises. “Always verify the legitimacy of a website and navigate directly to a retailer’s official site rather than relying on search results or links in ads.”

For shoppers eager to seize Black Friday deals, vigilance may be the best bargain of the season.

bottom of page