Threat Report: Black Fraud Day – Cybercriminals Capitalizing on Increased Online Shopping Activity
TLP:CLEAR | November 22nd, 2024
Source: Fraud network uses 4,700 fake shopping sites to steal credit cards | BleepingComputer
Overview:
With Black Friday quickly approaching and early sales already taking place, cybercriminals are launching sophisticated campaigns to capitalize on the imminent surge in online shopping. This activity echoes similar scams from this time last year that cost victims an average of $1228 CAD. Researchers at EclecticIQ recently uncovered a phishing campaign by SilkSpecter, a financially motivated Chinese threat actor, targeting shoppers in the US and Europe. SilkSpecter was observed using convincing, yet malicious websites, leveraging the following techniques and tools to give the impression of legitimacy:
- Typosquatting to impersonate legitimate retailers like The North Face, IKEA, and Wayfair. Often incorporating Black Friday-themed keywords into the URLs (e.g., makitablackfriday[.]shop).
- Use of .shop, .top, .store, and .vip top-level domains (TLDs). A technique that is being increasingly used by cybercriminals, as researchers at Satori have also observed.
- Displaying of deceptive icons falsely labelling them as a “Trusted Site”.
- Incorporation of the legitimate payment platform Stripe to process genuine transactions and redirect money to SilkSpecter accounts.
- Use of Google Translate’s built-in functionality to dynamically adjust language settings based on the visitor’s location, creating a localized and authentic user experience.
Any stolen phone numbers are then used for targeting victims with SMiShing and vishing attacks to steal authentication tokens. If successful, the threat actor could then potentially bypass extra security controls on target accounts such as multi-factor authentication (MFA).
What to Communicate to Executives:
- Remain vigilant: Users should maintain awareness of the tactics described in this alert as well as other techniques common with online scams such as the use of language to pressure victims into completing a transaction (“offer lasts for 24 hours”, “1 left in stock”). Continue to keep the community safe by sharing threat intelligence regarding other online scams.
- Use virtual cards for online shopping: Using pre-configured virtual cards for the purpose of online shopping protects primary cards from being compromised.
- Set spending limits: Adding a limit to how much money can be spent, or how many transactions can be used in a day on cards can reduce their ability to be exploited.
-
Enable MFA: Despite some of these attacks leading to further attempts to circumvent this measure, adding MFA to accounts and never disclosing your authentication tokens to suspicious contacts via SMS or voice calls will significantly reduce the likelihood of account compromise.
- Report: Report any suspicious websites to the Canadian Anti-Fraud Centre immediately toll-free at 1-888-495-8501.
Further Reading:
