- CloudSEK warns of over 2,000 fake Black Friday e-commerce sites that steal money and data
- Fraudulent clusters are impersonating Amazon and major brands using emergency timers and phishing payment kits.
- Campaign Could Make $24 Million, Showing Industrialized, Automated Holiday Fraud on a Large Scale
This Black Friday, there are thousands of fake online stores designed only to steal your money and sensitive data.
That’s the warning from cybersecurity experts CloudSEK, who are sounding the alarm on two major scam clusters currently active.
One of the best ways to detect a phishing or scam attack is its sense of urgency: scams are usually an offer about to expire or a threat to suspend an account if no immediate action is taken. But Black Friday is also timed, which helps criminals better hide their intentions.
Theft of retailers and major brands
CloudSEK discovered more than 2,000 fraudulent holiday-themed e-commerce sites designed to exploit customer trust by impersonating popular retailers. These websites were part of two huge clusters: one with around 750 sites and the other with over 1,000 domains.
The first cluster primarily impersonates Amazon and other retailers. The sites are nearly identical, with similar designs, fliplock-style emergency timers, fake trust badges, and pop-ups seemingly displaying recent purchases.
The second cluster sits under the .shop top-level domain and impersonates big brands rather than retailers. Samsung, Ray-Ban, Xiaomi, Jo Malone and others are mentioned.
“These sites replicate the same Black Friday/Cyber Monday model and fraudulent payment process for financial fraud, indicating the use of a standardized phishing kit,” the researchers said, adding that payments are redirected to shell payment sites controlled by the attackers.
It’s unclear exactly how people land on these sites, but CloudSEK speculates that it’s most likely due to social media ads, SEO poisoning, and direct advertising through instant messaging platforms like WhatsApp and Telegram. Researchers estimate that each site could net up to $12,000, meaning the entire campaign could net more than $24 million in stolen money.
For Ibrahim Saify, security researcher at CloudSEK, this is a demonstration of “the industrialization of holiday-related scams”.
“The scale of this ecosystem, spanning more than 2,000 coordinated fake domains, shows how quickly cybercriminals are automating fraud. If left unchecked, these scams could lead to significant financial losses for consumers and erode confidence in global e-commerce during its busiest season,” Saify stressed.
The best antivirus for every budget
Follow TechRadar on Google News And add us as your favorite source to get our news, reviews and expert opinions in your feeds. Make sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp Also.
