Holiday Heist: 200,000 Fake Shops & Amazon Clones Target Black Friday

As the holiday shopping season accelerates, cybersecurity researchers have identified a sprawling network of fraudulent online stores designed to exploit the Black Friday and Cyber Monday frenzy. A new analysis from CloudSEK has uncovered two distinct, massive clusters of fake storefronts using sophisticated “typosquatting” and automated templates to deceive consumers looking for deep discounts.

These “fake shop operations” are timed specifically to “maximize victim traffic and transaction volume” during the year’s busiest shopping period.

Cluster A: The Amazon “Typosquatters”

The first identified cluster comprises more than 750 interconnected sites, heavily focused on impersonating the retail giant Amazon. These sites utilize “uniform holiday banners, urgency messaging, and misleading trust indicators” to trick users into believing they are on legitimate clearance or return-pallet pages.

Key Indicators:

• Typosquatted Domains: Attackers register domains that closely mimic legitimate brands, such as atoztreasure.com and amaboxreturns.com.
• Shared Infrastructure: The investigation revealed a shared Content Delivery Network (CDN) resource—cdn.cloud360.top—used across this cluster to host holiday-themed assets like “flipclock” countdown timers.
• Urgency Tactics: The sites employ “scarcity messaging” such as “Rush Buying” and “Tight Inventory” alongside fabricated pop-ups claiming recent purchases by other users.

The “Shell Game”: How They Steal Your Money

One of the most dangerous aspects of Cluster A is its payment processing method. Rather than processing payments directly on the fake Amazon storefronts, the operators leverage “shell merchant websites” to process PayPal and card transactions.

For example, a victim attempting to checkout on amaboxreturns.com is silently redirected through georgmat.com. This shell domain remains “unflagged on security reputation platforms,” allowing the attacker to “complete fraudulent financial transactions without immediately triggering risk controls”. WHOIS records for these shell sites often show hosting in China, despite the storefronts claiming to be U.S.-based.

Cluster B: The “.Shop” Avalanche

The second cluster is significantly larger, spanning a “broad .shop ecosystem” that includes domains mimicking a vast array of consumer brands, from Apple and Samsung to specialized brands like 8BitDo and Shimano.

• Massive Scale: Researchers pivoted on a specific HTML element (el-dialog) to uncover over 200,000 .shop domains, a majority of which were potentially abusing the same holiday-themed scam template.
• Automated Deployment: By examining the top 1,000 domains in this cluster, analysts observed a “consistent Black Friday modal structure,” indicating widespread, automated reuse of a scam-associated template.
• Recurring Code: A key technical fingerprint for this cluster is a recurring JavaScript file found across the sites. While the filename changes, the body content remains identical, identified by the SHA-256 hash 095a3ebc77f4e46b3adda543b61d90b7d3f20b41532c07772edd31908d060bb2.

Consumer Advice

While registrars are taking down some of these domains, “many remain active,” posing a “continued risk” to unsuspecting shoppers.

• Verify URLs: Be wary of generic top-level domains like .shop or .top when expecting a major retailer.
• Check for Redirection: Watch the URL bar during checkout. If amazon-returns-sale.com suddenly sends you to random-bakery-site.com to pay, abort the transaction immediately.
• Ignore False Urgency: “Flipclock” timers and “only 2 left” warnings are hardcoded templates, not real inventory data.

Related Posts:

• UK e-commerce provider data breaches: 1.3 million online fashion shoppers leaked
• Black Friday Fake Stores Surge 110%: How LLMs and Cheap Domains Empower Cybercrime
• Kaspersky Lab’s Report Reveals Surge in Black Friday Shopping Threats