- CloudSEK warns against 2,000+ fake Black Friday e-commerce sites stealing money and data
- Fraud clusters impersonate Amazon, big brands, using rush timers and phishing checkout kits
- The campaign could bring in $24 million, showing industrialized, automated holiday fraud on a massive scale
This Black Friday, there are thousands of fake online stores designed only to steal your money and your sensitive data.
This is the warning given by cyber security experts CloudSEK, who are sounding the alarm about two major scam clusters active right now.
One of the best ways to spot a phishing or scam attack is its sense of urgency – scams are usually an offer that is about to expire or a threat that an account will be suspended if immediate action isn’t taken. But Black Friday is also timed, which helps criminals hide their intentions even better.
Spoofing retailers and big brands
CloudSEK found more than 2,000 fraudulent holiday-themed e-commerce websites designed to exploit customer trust by impersonating popular retailers. These sites were part of two huge clusters – one consisting of about 750 sites, and one with more than 1,000 domains.
The first cluster mostly mimics Amazon and other retailers. The sites look almost identical, with similar templates, fliplock-style rush timers, fake trust marks, and pop-ups that appear to show recent purchases.
The second cluster are all under the .shop top-level domain and impersonate big brands instead of retailers. Samsung, Ray-Ban, Xiaomi, Jo Malone and others are mentioned.
“These sites replicate the same Black Friday/Cyber Monday template and fraudulent payment process for financial fraud, indicating the use of a standardized phishing kit,” the researchers said, adding that the payments are redirected to attacker-controlled shell checkout sites.
It is unclear how people land on these sites, but CloudSEK speculates that it is most likely through social media ads, SEO poisoning, and direct advertising through instant messaging platforms such as WhatsApp and Telegram. The researchers believe each site could win up to $12,000, meaning the entire campaign could bring in more than $24 million in stolen money.
For Ibrahim Saify, security researcher, CloudSEK, this is a demonstration of “the industrialization of holiday scams.”
“The scale of this ecosystem, spanning more than 2,000 coordinated fake domains, shows how quickly cybercriminals are automating fraud. If left unchecked, these scams can cause significant financial losses to consumers and erode confidence in global e-commerce during the busiest season,” Saify emphasized.
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds. Be sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, video unboxings, and get regular updates from us on WhatsApp also.
