A serious new warning has just issued for web users ahead of the holiday season, with a dangerous new threat campaign that will lure millions of users into visiting websites that are not what they appear. Before you go bargain-hunting this Black Friday and Cyber Monday, make sure these websites do not ruin your holiday season.
This newly disclosed threat campaign “leverages the heightened online shopping activity in November, the peak season for Black Friday discounts,” EclecticIQ’s research team warns, with the scammers successfully stealing “cardholder data, sensitive authentication data and personally identifiable information (PII).”
The team attribute the campaign to the threat actor SilkSpecter, which it says leveraged legitimate payment processing providers to steam, credit card details. Not only did the scammers craft discount lures and URLs to manipulate search results, but they also “enhanced the phishing site’s credibility by using Google Translate to dynamically adjust the website’s language based on each victim’s IP location, making it appear more convincing to an international audience.”
Fortunately, there are some telltale signs that will help users spot the malicious sites before it’s too late. These phishing domains “predominantly use the .top, .shop, .store, and .vip top-level domains, often typosquatting legitimate e-commerce organizations’ domain names to deceive victims.”
While the lures are blatant, with “80% off” tags to entice shoppers, such too good to be true deals are not quite so apparent during the holiday sales. The attacks are cleverly designed, with the scammers even deploying the same web trackers used by legitimate retailers, “including OpenReplay, TikTok Pixel, and Meta Pixel, to monitor the effectiveness of the attacks by collecting detailed activity logs from each visitor.”
The amount of data collected by such websites is dangerous, and includes phone numbers that “could enable attackers to conduct vishing (voice phishing) or smishing (SMS phishing) attacks, deceiving victims into providing additional sensitive information, such as 2FA codes… By impersonating trusted entities, such as financial institutions or well-known e-commerce platforms, SilkSpecter could very likely circumvent security barriers, gain unauthorized access to victim’s accounts, and initiate fraudulent transactions.”
As victims shop, their data is transmitted to an external server creating a treasure trove of valuable data that can be further mined beyond the initial lure.
While the attacks target US and European online shoppers, this is very much a Made in China campaign. The Content Delivery Network (CDN) that hosts the fraudulent imagery and other components are hosted in China, the sites themselves were hosted on Chinese infrastructure and the domains “were tied to specific Autonomous System Numbers (ASNs) and domain registrants connected to Chinese companies.”
The team has published a list of known malicious domains:
- northfaceblackfriday[.]shop
- lidl-blackfriday-eu[.]shop
- bbw-blackfriday[.]shop
- llbeanblackfridays[.]shop
- dopeblackfriday[.]shop
- wayfareblackfriday[.]com
- makitablackfriday[.]shop
- blackfriday-shoe[.]top
- eu-blochdance[.]shop
- ikea-euonline[.]com
- gardena-eu[.]com
But beware—there are upwards of 4,000 malicious domains, and so shoppers are advised to be careful when clicking on “URLs with themes like ‘discount,’ ‘Black Friday,’ or similar sales events. Additionally, look for the specific path ‘/homeapi/collect’ and domains incorporating ‘trusttollsvg’.”
This follows a similar report earlier this month, with Human Security’s Satori’s finding threat actors driving traffic to fake web shops “by infecting legitimate websites with a malicious payload… creating fake product listings and adding metadata that puts these fake listings near the top of search engine rankings for the items, making them an appealing offer for an unsuspecting consumer.”
Trend Micro offers these other danger signs for holiday shoppers to watch for:
- Too-Good-to-Be-True deals
- Poor design, typos, and insecure payment methods.
- Lack of or Suspicious Contact Info
- Lack of secure Payment options like credit cards.
- Unclear Return or Shipping
And as the FBI itself has warned, “if a deal looks too good to be true, it probably is! Steer clear of unfamiliar sites offering unrealistic discounts on brand-name merchandise. Scammers frequently prey on Black Friday and Cyber Monday bargain hunters by advertising ‘One-Day Only’ promotions from recognized brands. Without a skeptical eye, consumers may end up paying for an item, giving away personal information, and receive nothing in return except a compromised identity.”