With the holiday shopping season kicking into high gear, a massive cybersecurity threat has emerged, putting online shoppers at significant risk.
A coordinated campaign has been discovered, involving the registration of over 2,000 fake holiday-themed online stores.
These malicious sites are designed to lure unsuspecting consumers with the promise of steep discounts, only to steal their payment information and personal data.
The scale of this operation is vast, with two distinct clusters of fraudulent storefronts identified, both employing sophisticated tactics to appear legitimate and deceive shoppers.
The first cluster primarily consists of typosquatted domains mimicking Amazon, while the second spans a wide array of “.shop” domains impersonating well-known brands such as Apple, Samsung, and Ray-Ban.
These fake stores are not isolated incidents but part of a large-scale, automated campaign. The threat actors behind this operation have timed their attack to coincide with peak shopping periods like Black Friday and Cyber Monday, when consumers are actively hunting for bargains and may be less cautious about unfamiliar websites.
.webp "Hackers Registered 2,000+ Fake Holiday-Themed Online Stores to Steal User Payments 3")
CloudSEK security researchers noted the coordinated nature of these scams, identifying the use of identical phishing kits, recurring website templates, and shared infrastructure across the network of fake stores.
This level of coordination suggests a well-organized and resourced operation. The impact on consumers is severe, ranging from direct financial losses to the long-term risks of identity theft.
Furthermore, these scams erode trust in legitimate online retailers and the e-commerce ecosystem as a whole.
Infection and Deception Tactics
The modus operandi of these fake stores is both simple and effective. They leverage a combination of social engineering and technical evasion to trick users and avoid detection.
The sites are designed to look like professional e-commerce platforms, complete with holiday-themed banners, countdown timers creating a false sense of urgency, and fake “trust badges” to build credibility.
Fabricated “recent purchase” pop-ups are also used to create social proof and pressure visitors into making a purchase.
.webp "Hackers Registered 2,000+ Fake Holiday-Themed Online Stores to Steal User Payments 4")
When a user attempts to buy a product, they are redirected to a shell checkout page designed to harvest their billing and payment details.
These shell websites often use unflagged domains to process transactions, allowing the attackers to bypass fraud detection systems.
Fake & Impersonating Domains:-
| Domain Cluster | Impersonated Brand | Fake Domain Examples |
|---|---|---|
| Cluster A (Amazon-themed) | Amazon | amaboxhub.com, amawarehousesale.com, amaznshop.com |
| Cluster B (.shop domains) | Xiaomi | xiaomidea.shop |
| Jo Malone | Jomalonesafe.shop |
|
| Fujifilm | Fujifilmsafe.shop |
|
| Samsung | Samsungsafe.shop |
|
| A popular brand | [brand]safe.shop or [brand]fast.shop |
The investigation also revealed that a shared Content Delivery Network (CDN), cdn.cloud360.top, was used to serve assets to over 750 of the fake stores, further highlighting the centralized nature of the campaign.
A recurring JavaScript file, identified by its unique SHA-256 hash, was also found across numerous malicious .shop domains, controlling the fraudulent checkout process.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
