- CloudSEK warns of 2,000+ fake Black Friday ecommerce sites stealing money and data
- Scam clusters impersonate Amazon, major brands, using urgency timers and phishing checkout kits
- Campaign could net $24M, showing industrialized, automated holiday fraud at massive scale
This Black Friday, there are thousands of fake online stores designed only to steal your money, and your sensitive data.
This is the warning given out by cybersecurity experts CloudSEK, who are sounding the alarm on two major scam clusters active right now.
One of the best ways to spot a phishing or scam attack is its sense of urgency - scams are usually an offer that’s about to expire, or a threat of an account being suspended if immediate action isn’t taken. But Black Friday is timed as well, helping criminals hide their intentions even better.
Spoofing retailers and major brands
CloudSEK found more than 2,000 fraudulent holiday-themed ecommerce sites, designed to exploit customer trust by impersonating popular retailers. These websites were part of two huge clusters - one comprising roughly 750 sites, and one with more than 1,000 domains.
The first cluster mostly impersonates Amazon and other retailers. The sites look almost identical, with similar templates, fliplock-style urgency timers, fake trust badges, and pop-ups apparently displaying recent purchases.
The second cluster is all under the .shop Top Level Domain, and impersonates major brands rather than retailers. Samsung, Ray-Ban, Xiaomi, Jo Malone, and others, are being mentioned.
“These sites replicate the same Black Friday/Cyber Monday template and fraudulent checkout process for financial fraud, indicating the use of a standardized phishing kit,” the researchers said, adding that the payments are redirected to attacker-controlled shell checkout sites.
It is unclear how people land on these sites, but CloudSEK speculates it’s most likely through social media ads, SEO poisoning, and direct advertising through instant messaging platforms such as WhatsApp and Telegram. The researchers believe that each site could rake in up to $12,000, meaning that the entire campaign could bring more than $24 million in stolen money.
For Ibrahim Saify, Security Researcher, CloudSEK, this is a demonstration of the “industrialization of holiday scams.”
“The scale of this ecosystem, spanning more than 2,000 coordinated fake domains, shows how rapidly cybercriminals are automating fraud. If left unchecked, these scams could cause significant financial losses for consumers and erode trust in global e-commerce during its busiest season,” Saify stressed.
➡️ Read our full guide to the best antivirus
1. Best overall:
Bitdefender Total Security
2. Best for families:
Norton 360 with LifeLock
3. Best for mobile:
McAfee Mobile Security
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.
You must confirm your public display name before commenting
Please logout and then login again, you will then be prompted to enter your display name.