One Article Review
| Source |  RiskIQ |
|---|---|
| Identifiant | 8611252 |
| Date de publication | 2024-11-14 18:45:19 (vue: 2024-11-14 19:08:27) |
| Titre | Financially Motivated Chinese Threat Actor SilkSpecter Targeting Black Friday Shoppers |
| Texte | #### Targeted Geolocations - United States - Western Europe - Northern Europe - Southern Europe - Eastern Europe ## Snapshot Researchers from EclecticIQ identified a phishing campaign targeting e-commerce shoppers in Europe and the United States likely attributed to a Chinese financially motivated threat actor, SilkSpecter. ## Description In October 2024, SilkSpecter launched a phishing operation leveraging the popularity of Black Friday sales, luring victims with fake discounted products to collect Cardholder Data (CHD), Sensitive Authentication Data (SAD), and Personally Identifiable Information (PII). The group used legitimate payment processor Stripe to make transactions appear authentic, while covertly exfiltrating sensitive information to attacker-controlled servers. SilkSpecter enhanced the credibility of its phishing sites by using Google Translate to adapt site language based on each victim\'s IP location. The campaign\'s phishing kit tracked visitor interactions using tools like OpenReplay, TikTok Pixel, and Meta Pixel, enabling attackers to analyze engagement and effectiveness. The infrastructure relied heavily on Chinese hosting resources, including the SaaS platform oemapps, which allowed SilkSpecter to rapidly create and manage fake e-commerce sites using domains like .top, .shop, .store, and .vip to impersonate legitimate brands. Impersonated brands include North Fce, L.L. Bean, Makita, Wayfare, and Ikea. EclecticIQ found evidence indicating that SilkSpecter\'s phishing campaigns were distributed through social media and SEO-poisoned search results. The attribution of this campaign to SilkSpecter is supported by factors such as Mandarin code comments, Chinese-hosted servers, and a preference for Chinese domain registrars. This campaign demonstrates SilkSpecter\'s ability to weaponize legitimate platforms, like Stripe, while effectively concealing its operations behind plausible-looking e-commerce fronts. ## Microsoft Analysis and Additional OSINT Context Financially motivated threat actors often capitalize on US holidays and shopping events to increase their activity, exploiting the heightened online traffic and consumer spending associated with these periods. Holidays such as Memorial Day, Labor Day, Thanksgiving, Black Friday, and Christmas present prime opportunities, as people are more likely to make online purchases, interact with promotions, and respond to urgent holiday-related communications. Threat actors typically ramp up phishing campaigns, fake e-commerce sites, and social engineering schemes designed to deceive users into providing sensitive financial information or making fraudulent purchases. By aligning their tactics with the expectations of the holiday season-such as discount-themed phishing lures and urgent purchase requests-they can more easily bypass users\' suspicions. These targeted, time-sensitive attacks underscore the importance of heightened cybersecurity vigilance and consumer awareness during peak shopping and holiday seasons. To learn more about how to protect yourself online during the holiday season, read "[stay safe online this holidy shopping season with tips from Microsoft](https://www.microsoft.com/en-us/security/blog/2021/11/23/stay-safe-online-this-holiday-shopping-season-with-tips-from-microsoft/)" on the [Microsoft Security Blog](https://www.microsoft.com/en-us/security/blog/). ## Recommendations Microsoft recommends the following mitigations to reduce the impact of this threat. - Turn on [cloud-delivered protection](https://learn.microsoft.com/en-us/defender-endpoint/linux-preferences) in Microsoft Defender Antivirus or the equivalent for your antivirus product to cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections block a majority of new and unknown threats. - Run [EDR in block mode](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/edr-in-block-mode?view=o365-worldwide?ocid=magicti_ta_ |
| Notes | ★★★ |
| Envoyé | Oui |
| Condensat | #### **© 2024 2024** 21562b1004d5/analystreport 365/security/defender 4b5e 5155 ability about access accessed action activity actor actors adapt additional af74 against alert alerts aligning all allow allowed analysis analyze antivirus any appear are artifacts associated attacker attackers attacks attributed attribution authentic authentication authority automated awareness based bean behind black block blog brands breach breaches bypass campaign campaigns can capitalize cardholder center changes chd chinese christmas cloud code collect com/en com/inside com/microsoft com/threatanalytics3/9382203e comments commerce common communications concealing configure consumer content context controlled copyright cover covertly create credential credibility cybersecurity data day deceive defend defender delivered demonstrates description designed detect detected discount discounted distributed distribution does domain domains during each easily eastern eclecticiq edr effectively effectiveness enable enabled enabling endpoint endpoint/attack endpoint/automated endpoint/edr endpoint/enable endpoint/linux endpoint/prevent engagement engineering enhanced ensure equivalent europe even events evidence evolving exfiltrating expectations exploiting factors fake fce financial financially folder folders follow following found fraudulent friday from fronts full geolocations google group hardening heavily heightened holiday holidays holidy hosted hosting how https://blog https://learn https://security https://www identifiable identified ikea immediate impact impersonate impersonated importance include including increase indicating information infrastructure intelligence interact interactions investigation investigations its kit labor language launched learn learndoc learning legitimate leveraging like likely local location looking lsa lsass lures luring machine majority make making makita malicious manage mandarin media memorial meta microsoft microsoft/ mitigations mode more motivated network new non north northern not ocid=magicti october oemapps often online openreplay operation operations opportunities osint overview part passive payment peak people periods permission personally phishing pii pixel platform platforms plausible poisoned popularity post preference preferences premises present prime processor product products prohibited promotions protect protection protection#how protections providing purchase purchases ramp rapidly read recommendations recommends reduce reducing reduction reference#block references registrars related relied remediate remediation reproduction requests researchers reserved resolve resources respond results rights rules run running saas sad safe sales scenes schemes search season seasons security sensitive seo servers settings shop shoppers shopping significantly silkspecter site sites snapshot social southern spending states stay stealing store stripe subsystem such supported surface suspicions tactics take tamper targeted targeting techniques thanksgiving theft themed thereof these threat threats through tiktok time tips tools top tracked traffic transactions translate turn typically underscore united unknown urgent us/defender us/security/blog/ us/security/blog/2021/11/23/stay used users using victim victims view=o365 vigilance vip visitor volume wayfare weaponize western when which windows without works worldwide written your yourself |
| Tags | Tool Threat Cloud |
| Stories | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.