Blog, Cybersecurity News

Over 2,000 Holiday-Themed Fake Stores Target Shoppers During Black Friday and Festive Sales

The holiday shopping season has become one of the most lucrative periods of the year for cybercriminals. Alongside legitimate Black Friday and Christmas offers, threat actors are now operating large, co-ordinated networks of fake online stores designed to steal payment card details and personal information at scale.

Recent threat intelligence originally attributed to AlienVault and enriched within our own analysis reveals two major clusters of fraudulent e-commerce infrastructure, together comprising more than 2,000 holiday-themed fake shops. These campaigns are highly polished, visually convincing and timed specifically to coincide with peak shopping periods when users are actively hunting for “too good to miss” discounts.

Two Major Clusters of Fraudulent Stores

The campaign breaks down into two broad ecosystems which share common tooling, design patterns and infrastructure.

The first cluster revolves around so-called “Amazon returns”, “mystery box” and liquidation pallet scams. These sites frequently misuse Amazon branding and themes, and promote unrealistic discounts or “secret” pallets of returned goods with promised high-value items inside. Domains in this cluster include examples such as:

  • amaboxreturns[.]com
  • amazonshome[.]com
  • atoztreasure[.]com
  • amazonpalletrush[.]com
  • amazonreturnsbox[.]com
  • amznpallet[.]com, amznpalletmarket[.]com and related lookalikes

Alongside these domains, a large constellation of hostnames has been observed, all clearly engineered to appear adjacent to Amazon branding. They combine words such as “box”, “pallet”, “warehouse”, “liquidation”, “mystery” and “surprise” with misspelled or truncated versions of “amazon” and “amz”. This allows the operators to pivot brand names quickly if individual domains are taken down.

The second cluster is built around a .shop ecosystem that impersonates well-known consumer brands across technology, cosmetics, lifestyle and household goods. These domains attach the word “safe” or similar terms to brand names, or present as unofficial “fast” or “sale” outlets. Examples from this cluster include:

  • 8bitdosafe[.]shop
  • samsungsafe[.]shop and samsunghugesale[.]shop
  • rarebeautysafe[.]shop
  • garminsafe[.]shop
  • seagatesafe[.]shop, westerndigitalsafe[.]shop, skhynixsafe[.]shop
  • Numerous others following the same pattern, such as aquafreshsafe[.]shop, garminsafe[.]shop, viomisafe[.]shop and yalesafe[.]shop

Collectively, these domains present as “official” or “authorised” discount outlets for globally recognised brands, but they are in reality thin shells that exist solely to harvest payment data.

A Shared Phishing and Fraud Infrastructure

Despite the variety of brand names and themes, the underlying infrastructure and tradecraft show strong commonality. The identified sites make use of:

  • Uniform holiday-themed banners and promotional graphics, including snowflakes, baubles, red and green colour schemes and Black Friday countdown imagery.
  • Identical site templates and checkout flows, suggesting a shared phishing kit or turnkey “fraud store” platform being reused across domains.
  • Fake trust indicators, including copied logos of major payment providers, counterfeit “secure checkout” badges and fabricated customer reviews.
  • Aggressive urgency tactics, with countdown timers, “only X items left” notices and temporary “flash sale” messaging.

In some instances, specific infrastructure elements, such as countdown pages on flipclock.blackfriday and flipclock.christmas, appear to be used as reusable components or staging pages for multiple fraudulent storefronts.

A common phishing kit appears to be in circulation across this ecosystem. One associated artefact is the SHA-256 hash:

095a3ebc77f4e46b3adda543b61d90b7d3f20b41532c07772edd31908d060bb2

This hash corresponds to a malicious file linked to the campaign and can be used as a detection pivot within EDR, AV and SIEM platforms.

How the Scam Works for Victims

From the victim’s perspective, the journey is designed to feel indistinguishable from a legitimate discount experience.

A shopper may encounter one of these sites through targeted social media adverts, sponsored search results, link shortening services or spam emails promoting Black Friday or Christmas offers. The site presents a polished storefront featuring recognisable brands at unusually steep discounts, often wrapped in a narrative around overstock, returns pallets, warehouse clearance or “surprise boxes”.

The user is guided rapidly towards checkout with minimal friction. Product descriptions are shallow, but the emotional hooks are strong: scarcity, urgency, exclusivity and perceived insider access to “secret” deals. At the point of payment, the user is encouraged to enter:

  • Full payment card details
  • Name and billing address
  • Email and phone number

In many cases, the transaction will apparently “complete”, but nothing is ever shipped. The key objective of the operators is data capture rather than goods fulfilment. The harvested payment and personal information is then either used directly for fraudulent transactions or sold on to other criminal groups via carding and identity theft ecosystems.

Why the Campaign Is So Effective

The timing and theming of this campaign are not accidental. There are several factors that significantly increase its chance of success.

Firstly, holiday periods such as Black Friday and the run-up to Christmas are times when even security-conscious individuals are more tolerant of unfamiliar brands and new websites, provided the discount appears compelling. The expectation of “once a year” extreme discounts lowers natural scepticism.

Secondly, mainstream retailers now operate legitimate flash sales, outlet sites and special “returns” or “warehouse” channels. Attackers exploit this normalisation of constant discounting and high-pressure offers, making their fraudulent versions seem less unusual.

Thirdly, the use of domains that visually and linguistically sit close to genuine brands – especially those involving Amazon-style pallets, mystery boxes and liquidation stories – exploits name recognition without needing to bypass hardened corporate infrastructure. Consumer devices, home networks and unmanaged BYOD endpoints are a softer target.

Finally, the campaign’s scale matters. By operating hundreds or thousands of domains concurrently, the actors build resilience against takedowns and filtering. If one domain is blocked or seized, they simply rotate traffic to the next.

Impact on Consumers and Organisations

At first glance, these scams might appear to be a pure consumer protection issue. In reality, they have a far broader impact that directly affects organisations.

Compromised payment cards belonging to staff may be abused for fraudulent purchases, leading to chargebacks and operational disruption. More significantly, the same credentials and personal data captured on these fake shops are often reused across corporate systems. If an employee uses their work email address and a password they also use for enterprise accounts, attackers gain a valuable foothold for credential stuffing and targeted phishing.

Furthermore, when fraudulent transactions are made using corporate cards, or when staff fall victim using devices that also access corporate resources, incident response teams are drawn into investigations that consume time and resources at the busiest point of the year.

What Security Teams Should Do Now

For security and fraud teams, this campaign underscores the importance of combining threat intelligence, user awareness and technical controls during the holiday period.

Organisations should ensure that indicators of compromise (IOCs) associated with this ecosystem are actively ingested into their detection stack. This includes domains such as the numerous …safe[.]shop brand fakes, the Amazon-themed pallet and box domains, and related hostnames including georgmat[.]com, hiwoji[.]com, howokin[.]com and others used as part of the same infrastructure.

Network and DNS security controls should be configured to block access to known malicious domains and to flag unusual patterns involving suspicious TLD combinations and brand-spoofing constructs. Where supported and lawful, TLS inspection can help surface fraudulent checkout flows masquerading behind HTTPS.

At the endpoint and identity level, multi-factor authentication and robust password hygiene remain critical in mitigating the fallout when users reuse credentials on malicious sites. Security monitoring should be tuned to detect credential stuffing attempts and anomalous login behaviour that could stem from data harvested in campaigns such as this.

From an awareness perspective, organisations should explicitly brief staff that:

  • Legitimate retailers rarely require you to rush a purchase decision on a countdown clock.
  • Extremely deep discounts on premium brands, particularly via unknown .shop domains or “returns/mystery box” offers, are a major red flag.
  • Work email addresses and corporate payment cards should not be used on unverified retail sites.

Finally, incident response teams should be prepared for a higher volume of fraud-related queries and low-level security incidents during the festive period, with playbooks in place that distinguish pure payment fraud from potential corporate credential compromise.

How Cyber Defence Can Help

At Cyber Defence, our Threat Intelligence and SOC365 teams are actively tracking this and similar campaigns targeting seasonal retail activity. Indicators from the identified infrastructure, including relevant domains, hostnames and file hashes, are incorporated into our detection logic, enrichment pipelines and customer-facing threat feeds.

For our clients, that means:

  • Proactive blocking of known malicious domains at the network and DNS layers where integrated.
  • Enrichment of suspicious web traffic and proxy logs with threat intel context, helping analysts quickly identify high-risk sessions.
  • Correlation between user account activity and known compromised ecosystems to identify potential credential reuse.

We also work with clients to tailor their user awareness campaigns around peak risk periods such as Black Friday, Christmas and other major sales events, ensuring that staff understand how these scams present themselves and how to avoid becoming victims.

If you would like to understand whether your organisation’s users are being targeted by this specific ecosystem of fake holiday stores, or you require assistance integrating these indicators into your existing security controls, our team is available to help.

The festive season should be a time of celebration, not compromise. By combining high-quality threat intelligence, robust technical controls and informed users, it is possible to significantly reduce the risk posed by holiday-themed fraud campaigns such as this one.

  • 382 Views

you may also like

Hidden Google Play Adware Drains Devices and Disrupts Millions of Users

Futuristic cyberpunk-style wasp with glowing neon wings hovering over a digital cityscape, symbolizing web application security and vigilance.

Why OWASP Matters: The Cornerstone of Modern Web Application Security

In an era where web applications drive business and innovation, security is no longer optional, it’s essential. OWASP stands at the forefront of this digital defense, offering a community-driven framework that empowers developers and security professionals to build resilient, secure applications. From the globally recognized OWASP Top 10 to cutting-edge initiatives in API and AI security, OWASP is the cornerstone of modern web application protection.
Abstract digital tunnel representing a VPN connection, with glowing data streams flowing securely through a cyber landscape

What is a VPN? A Beginner’s Guide to Online Privacy

IRPs in Action: How Tabletop Exercises Prepare Your Team for Real Threats

Tabletop exercises turn your Incident Response Plan from a document into action. By simulating real-world cyber threats, teams can identify gaps, improve coordination, and respond confidently when incidents occur. Learn how to plan, execute, and maximize the benefits of these essential exercises.

What Collins Aerospace should have had in place

Securing the Hybrid Workforce: Challenges, Compliance, and Best Practices

A hybrid workforce offers flexibility and productivity, but it also expands the attack surface for cyber threats. From compliance challenges to securing endpoints and remote connections, organizations must take a proactive approach to protect sensitive data. Discover why cybersecurity is critical for hybrid workforces and explore best practices to keep remote and on-site teams safe.

Stay Informed. Stay Secure.

Subscribe to our newsletter.
Linkedin-in
© 2025 CyberDefence