Shoppers looking for great deals this holiday season need to be extra careful, as a massive operation involving over 2,000 fake online stores has been found, timed perfectly to steal money and personal details during peak sales like Black Friday and Cyber Monday.
Cybersecurity firm CloudSEK recently discovered this huge network and shared its research with Hackread.com. According to CloudSEK’s analysis, these aren’t isolated incidents; they are highly organised operations using identical methods to trick people, making this one of the largest coordinated scam efforts seen this shopping season.
The fake sites were identified by their suspicious resource usage and recurring templates. This operation includes two main groups: one with over 750 interconnected sites, 170 of which impersonate Amazon using uniform banners, flipclock-style urgency timers, and misleading trust symbols. The second group comprises over 1,000 .shop domains impersonating major brands like Apple, Samsung, Dell, Ray-Ban, and Xiaomi.
How Scammers Are Tricking Customers
These fake shops look real because scammers have used the same basic tools (phishing kits) to quickly build thousands of similar websites. To rush buyers into purchasing, they use fake countdown timers and urgent messages about low stock.
The sites are linked because they all load their designs from the same shared source, like a digital fingerprint, which allowed CloudSEK to trace these stores back to a single criminal group. The sites are spread through social media ads, search results, and messaging apps like WhatsApp and Telegram
Researchers explain that once a shopper decides to buy, they are sent to a shell checkout page, which looks like a standard payment screen but is actually designed to steal sensitive financial details. For example, the domain amaboxreturns.com redirects payment through another unflagged domain, allowing criminals to complete fraudulent transactions without raising alarms. CloudSEK noted that these payment portals often use a China-based provider for hosting.
“WHOIS records for georgmat.com indicate hosting through a China-based provider (Alibaba Cloud Computing Ltd.) with registration details listing Guangdong as the administrative state. The geographic mismatch between the infrastructure and the impersonated US retail brands increases suspicion and supports the assessment that the domain is being leveraged as part of a fraudulent, holiday-themed payment redirection scheme,” the blog post reads.
Researchers estimate that with a conversion rate of between 3% to 8% of visitors becoming victims, scammers could potentially earn between $2,000 and $12,000 per fake site before it gets shut down. While some fake domains have been closed, many remain active, becoming fully operational right before big sales events to maximise the number of victims.
“If left unchecked, these scams could cause significant financial losses for consumers and erode trust in global e-commerce during its busiest season,” said Ibrahim Saify, Security Researcher, CloudSEK
What Shoppers Need to Look Out For
Finding a deal that is too good to be true is the first sign of a scam. To stay safe, CloudSEK says shoppers should watch out for flashy banners or aggressive messages like “Limited Time!” designed to create panic; domain names that combine a brand name with extra words like safe, fast, or sale (like brandname-safe.shop); missing or fake contact information; and identical layouts across different store names.
If you see any of these warning signs, the safest choice is to avoid the site and verify the deal on the brand’s official website.