Executive Summary

As the holiday shopping season approaches, Black Friday and Cyber Monday create an environment where consumers actively search for steep discounts across unfamiliar online stores - making them prime targets for large-scale fake shop operations. During this analysis, two potentially coordinated clusters of holiday-themed storefronts were identified through suspicious resource usage and recurring website templates. The first cluster includes what appears to be a major concentration of Amazon-themed typosquatted domains, though not exclusively Amazon-related, and comprises more than 750 interconnected sites using uniform holiday banners, urgency messaging, and misleading trust indicators. The second cluster spans a broad .shop ecosystem and includes domains that appear to mimic well-known consumer brands - such as Apple, AMD, Dell, Cisco, Logitech, Toshiba, Ray-Ban, Nivea Men, Paula’s Choice, Rare Beauty, SK Hynix, 8BitDo, Viomi, Tim Hortons, Aetna, Ahava, Olympus, Snapple, Fiio, Gotrax, Meetion, Yale, Xiaomi, Jo Malone, Fujifilm, Amazfit, COSRX, Samsung, Garmin, Shark, HP, Seagate, and Omron - based on naming patterns and shared template characteristics.

By examining the top 1,000 domains from this second cluster, a consistent Black Friday modal structure was observed across numerous sites, indicating widespread reuse of the same scam-associated template. While several of these domains have already been taken down by registrars and hosting providers, many remain active, underscoring the scale, automation, and seasonal timing of these holiday-focused fake store campaigns, and the continued risk they pose to unsuspecting shoppers during high-traffic sale periods.

These websites are likely to activate during holiday periods to maximize victim traffic and transaction volume.

Cluster A

1. Initial Discovery via Dorking (Based on previous yearly fake shop scams)
   → Targeted queries led to a fake storefront:
   atoztreasure[.]com

2. Usage of HTML “Flipclock” Holiday Assets
   A shared CSS structure enabling holiday-specific banners also showcasing the resource that was used to identify the other 750+ domains ie cdn.cloud360[.]top :

Template Characteristics & Website Analysis

‍

‍

Fake trust badges, scarcity messaging (“Rush Buying”, “Tight Inventory”), and fabricated recent-purchase pop-ups are used to pressure victims into completing fraudulent transactions.

‍

Checkout pages capture full billing and payment details, enabling direct financial theft through fraudulent Black Friday fake shop operations

Utilization of Shell Websites

The phishing clusters leverage shell merchant websites to process PayPal and payment-card transactions, reducing the likelihood of fraud detection once the victim proceeds to checkout. For example, in the case of amaboxreturns[.]com, payment redirection occurs through georgmat[.]com - a domain that remains unflagged on security reputation platforms such as VirusTotal - enabling the attacker to complete fraudulent financial transactions without immediately triggering risk controls.

‍

‍

‍

‍

‍

‍

‍

WHOIS records for georgmat[.]com indicate hosting through a China-based provider (Alibaba Cloud Computing Ltd.) with registration details listing Guangdong as the administrative state. The geographic mismatch between the infrastructure and the impersonated U.S. retail brands increases suspicion and supports the assessment that the domain is being leveraged as part of a fraudulent, holiday-themed payment redirection scheme.

‍

List of Some Shell Websites Collected

• www.thewonsel.com
• www.kinwony.com
• www.hwujo.com
• www.qinsony.com
• www.pasony.com
• www.loyoyi.com
• www.qiotong.com
• www.georgmat.com
• www.tisuny.com
• www.hiwoji.com
• www.sintayo.com
• www.howokin.com

Pivot:

A shared suspicious CDN reference - cdn.cloud360[.]top (Usage of a CDN having TLD known for distributing malware - Source) - was identified across the first cluster. This CDN acted as a common resource host, serving holiday-themed assets, flipclock banners, icons, and template files reused throughout the network of fraudulent storefronts.

By pivoting on this single CDN indicator, the investigation uncovered 750+ potentially fake shop domains leveraging the same hosted assets and layout components, indicating that they have a high likelihood of belonging to a centrally managed or widely distributed phishing kit infrastructure based on indicators mentioned above.

Another strong template-based indicator emerged from the recurring flipclock holiday timer HTML/CSS content, which dynamically swaps banners for events such as Black Friday, Cyber Monday, Christmas, and Thanksgiving. When combined with FOFA searches for matching Amazon favicon hashes, this pattern provided an additional way to surface potential Amazon-impersonating domains.

The overlap between holiday-themed flipclock assets, Amazon-adjacent favicon hashes, and consistent template reuse across numerous domains strongly suggests a broad set of typosquatted sites likely intended to mimic Amazon during peak shopping periods.

‍

FOFA Query: (body="flipclock.blackFriday{color:#ff2ef5}.flipclock.cyberMonday{color:#00afc8}.flipclock.christmas{color:#e42f2d}") && (icon_hash="226762681" || icon_hash="669141665")  

Typosquatting on Brands from the first cluster revealing potentially impersonating Fake Domains

• www.amaboxhub[.]com
• www.amaboxmarket[.]com
• www.amaboxmarketplus[.]com
• www.amaboxmarkets[.]com
• www.amaboxpallet[.]com
• www.amabxestore[.]com
• www.amafastsale[.]com
• www.amaluckybox[.]com
• www.amaluckybx[.]com
• www.amanpalets[.]com
• www.amanwarehouse[.]com
• www.amapalettes[.]com
• www.amapalletmarket[.]com
• www.amapalletmarkets[.]com
• www.amapalletsales[.]com
• www.amapalletsreturn[.]com
• www.amastorages[.]com
• www.amasuprisepallet[.]com
• www.amawarehousebox[.]com
• www.amawarehousesale[.]com
• www.amawarehousex[.]com
• www.amawhsepallets[.]com
• www.amaxboxsalex[.]com
• www.amazboxde[.]com
• www.amazgeheimnisbox[.]com
• www.amazhotsales[.]com
• www.amaznboxsaleus[.]com
• www.amaznbxstore[.]com
• www.amaznsalepallets[.]com
• www.amaznsbigsale[.]com
• www.amaznshop[.]com
• www.amaznsliquidation[.]com
• www.amazonpalletrush[.]com
• www.amazonreturnsbox[.]com
• www.amazpalette[.]com
• www.amazpalletsgift[.]com
• www.amazrpallets[.]com
• www.amazsaleboxus[.]com
• www.amazsalepalletus[.]com
• www.amazusboxes[.]com
• www.amazxpallets[.]com
• www.amzelectronicbox[.]com
• www.amzglobalpallets[.]com
• www.amzliquidationpallet[.]com
• www.amznbigsale[.]com
• www.amznboxsales[.]com
• www.amznpallet[.]com
• www.amznpalletmarket[.]com
• www.amznreturnsale[.]com
• www.amznsliquidation[.]com
• www.amznsmysterybox[.]com
• www.amzonboxshop[.]com
• www.amzonpaletten[.]com
• www.amzpaletten[.]com
• www.amzpalletliquidation[.]com
• www.amzreturenbox[.]com
• www.amzreturn[.]com
• www.amzreturnpallet[.]com
• amazonshome[.]com

‍

‍

Snapshots showcasing these domains from the first phishing cluster being flagged as malicious on VirusTotal suggesting that these may all potentially be part of the same phishing kit. 

‍

Another tool also suggests that domains from this cluster also belong to phishing kits already out on the internet.

‍

Source: Validin.com 

Cluster B – [.]shop Fake Storefront Fraud Network

Entry Point

→ Google Dorking (Based on previous yearly fake shop scams)

→ Identified via domain: sunnysideupbakerysale.shop

Snapshot of the initial fake shop domain having flashy price reduction banners to induce urgency and rush victims into purchasing fraudulent products and incur financial losses

Website Analysis

Fraudulent checkout flows harvest sensitive billing and financial information, facilitating unauthorized transactions through fake e-commerce sites

‍

‍

Billing and personal details are embedded in URL parameters to streamline logging and data harvesting on the attacker's servers.

Credit card and financial information is captured for fraudulent transactions and mass data theft, leading to severe financial losses for victims.

These fake shops exploit holiday sales like Black Friday, luring users with massive discounts and unrealistically low prices to maximize deception and profit.

‍

‍

Pivot:

Using FOFA for infrastructure and content-based pivoting, the el-dialog Black Friday body field extracted from the initially identified fake domain served as one of the indicators. This pivot returned over 200,000 [.]shop domains for which a majority was discovered potentially abusing the same template structure and holiday-themed fake shop design, highlighting possible large-scale industrialized reuse of a phishing kit across the .shop TLD.

‍

FOFA Query: (body="<el-dialog" && body="black_Friday" && body="black_Friday_content" && body="left_image")

‍

Note: The 200K+ FOFA results shown above include both active and historical domains. These entries are surfaced based on shared indicators - such as recurring HTML structures, common body-content patterns, and consistent template artifacts - rather than confirmed malicious behavior for each individual domain. As such, the results represent potential fake shops or fraudulent storefronts, identified through their similarity to known holiday-themed scam templates.

Another key pivot indicator for identifying these fake shop domains is a recurring JavaScript file present across the malicious [.]shop sites. Although the filename is randomly generated for each domain, the body content of the script remains identical, containing the core logic for cart behavior, purchase flow, and fraudulent checkout operations.

The SHA-256 hash of this JavaScript body content provides a highly reliable signature for pivoting. By hashing and correlating this JS template, additional clusters of [.]shop domains can be uncovered. This content-based pivoting enables the enumeration of numerous fake shop sites reusing the same holiday-themed scam framework despite differing filenames, URLs, or superficial changes.

‍

‍

SHA256 Body Hash: 095a3ebc77f4e46b3adda543b61d90b7d3f20b41532c07772edd31908d060bb2

‍

List of Some Potentially Fake & Impersonating Domains from the 2nd Cluster

• xiaomidea[.]shop (XiaoMi)
• Jomalonesafe[.]shop (Jo Malone)
• Fujifilmsafe[.]shop (Fuji Film)
• Amazfitsafe[.]shop (Amazon)
• Cosrxus[.]shop (COSRX)
• Samsungsafe[.]shop (Samsung)
• Garminsafe[.]shop (Garmin)
• sharksafe[.]shop
• Hpksafe[.]shop
• Seagatesafe[.]shop (Seagate)
• Omronsafe[.]shop (Omron)
• aiwasafe[.]shop
• akitassafe[.]shop
• akkosafe[.]shop
• alintorsafe[.]shop
• allegracesafe[.]shop
• allterrainsafe[.]shop
• Kenwoodsafe.shop (KenWood)
• alovesafe[.]shop
• alpakaonline[.]shop
• alpensattelus[.]shop
• amazfitsafe[.]shop
• Amazonamazonbasicsonline[.]shop (Amazon)
• amdsafe[.]shop
• americansafe[.]shop
• Appleipadus.shop (Apple)
• fiiosafe.shop
• snapplesales.shop
• skhynixsafe.shop
• gotraxsafe.shop
• Logitechsafe.shop (Logitech)
• meetionsafe.shop
• Amdsafe.shop (AMD)
• Dellasafe.shop
• fujitsusafe.shop
• Ciscosafe.shop (Cisco)
• aetnasafe.shop
• ahavasafe.shop
• 8bitdosafe.shop (8BitDo)
• Raybansafe.shop (RayBan)
• diadorasafe.shop
• Niveamensafe.shop (Nivea)
• Olympussafe.shop (Olympus)
• paulaschoicefast.shop
• rarebeautysafe.shop
• timhortonssafe.shop
• Toshibafast.shop (Toshiba)
• westerndigitalsafe.shop
• yalesafe.shop
• viomisafe.shop
• apremiumsafe[.]shop
• aqarasafe[.]shop
• aquafreshsafe[.]shop
• armitronsafe[.]shop
• arrissafe[.]shop
• arussafe[.]shop
• ascotsafe[.]shop
• aspectsafe[.]shop
• astroaisafe[.]shop
• atarisafe[.]shop
• atasus[.]shop
• atomysafe[.]shop
• atuvossafe[.]shop
• avantreesafe[.]shop
• avedasafe[.]shop
• avengerssafe[.]shop
• awarasafe[.]shop
• ayeshasafe[.]shop
• babygosafe[.]shop
• babylisssafe[.]shop
• babymoovsafe[.]shop
• badensafe[.]shop
• badusafe[.]shop
• bahcosafe[.]shop
• balancesafe[.]shop
• banquetfast[.]shop
• banquetusabst[.]shop
• barberbosssafe[.]shop
• barcosafe[.]shop
• barneysafe[.]shop
• baronsafe[.]shop
• bboxsalede[.]shop
• bcwsafe[.]shop
• beelinksafe[.]shop
• bellavitasafe[.]shop
• benadrylsafe[.]shop
• benfeisafe[.]shop
• berkshirestore[.]shop
• bernysafe[.]shop
• besteksafe[.]shop
• bestronsafe[.]shop
• bestwaysafe[.]shop
• bett1safe[.]shop
• beyerdynamicsafe[.]shop
• bhcosmeticssafe[.]shop
• bianyosafe[.]shop
• biggamesafe[.]shop
• biibsafe[.]shop
• billblasssafe[.]shop
• billiesales[.]shop
• billieusbst[.]shop
• bionairestore[.]shop
• bizzysafe[.]shop
• blackburnsafe[.]shop
• blackbutterflysafe[.]shop
• blackflagsafe[.]shop
• blackstonesafe[.]shop
• blindscontrol[.]shop
• blinksafe[.]shop
• blossomsafe[.]shop
• blueboxstore[.]shop
• bluemoonsafe[.]shop
• blueorangesafe[.]shop
• bluepetsafe[.]shop
• bluettisafe[.]shop
• bluewavesafe[.]shop
• bluntsafe[.]shop
• boaosafe[.]shop
• bodegasafe[.]shop
• bodhisafe[.]shop
• bodisafe[.]shop
• bodyguardsafe[.]shop
• bonessafe[.]shop
• bonidesafe[.]shop
• bonsafe[.]shop
• bontecsafe[.]shop
• borosafe[.]shop
• boxercraftsafe[.]shop
• bradleysafe[.]shop
• bravensafe[.]shop
• brennenstuhlsafe[.]shop
• bricosafe[.]shop
• bridgestonesafe[.]shop
• brpsafe[.]shop
• brynsafe[.]shop
• bsnsafe[.]shop
• btfbmsafe[.]shop
• bublysafe[.]shop
• bubssafe[.]shop
• buglessaleus[.]shop
• bulovasafe[.]shop
• buoysafe[.]shop
• burstsafe[.]shop
• busybeesafe[.]shop
• busysafe[.]shop
• butterfingersafe[.]shop
• bwesafe[.]shop
• bybenyarsafe[.]shop
• camechosafe[.]shop
• capturesafe[.]shop
• careallsafe[.]shop
• carnivalsafe[.]shop
• cartmansafe[.]shop

‍

‍

Infrastructure (Net Blocks) of Both Clusters

Shared Hosting Infrastructure Seen Across Campaigns

‍

WHOIS Record Statistics of 1st Cluster (Based on Total Count of Domains)

WHOIS Record Statistics of the second cluster (Based on first 1000 Domains):

Threat Actor Objectives (TTPs & Modus Operandi)

‍

Medium of Propagation (Likely Methods)

The precise distribution mechanisms used to funnel victims toward these fraudulent shop domains remain undetermined. However, based on established patterns observed in large-scale holiday-themed scam operations, several probable propagation channels can be reasonably inferred:

• Messaging Platforms (Highly Likely Vector): These campaigns may circulate through WhatsApp, Telegram, and similar messaging apps where scammers distribute short, time-sensitive links paired with aggressive discount narratives. Such channels allow rapid, low-visibility dissemination with minimal platform oversight.

• Private or Closed Social Media Sharing: While no direct evidence links the clusters to mainstream public advertising, attackers may still leverage closed Facebook groups, community buy/sell pages, or informal user-generated posts that mimic legitimate brand promotions, especially around Black Friday and holiday sales.

• Meta Ads Library & Instagram Ads/Reels (Potential Advertising Vector): Threat actors may attempt to run low-cost, short-lived ads on Meta platforms (Facebook/Instagram), exploiting Meta Ads Library to push fake storefront promotions under the guise of flash sales or exclusive holiday discounts. Such ads often evade early detection by using newly registered domains, generic product imagery, and limited targeting windows.

• Search Engine Optimization (SEO Abuse): Another plausible strategy involves SEO manipulation. Fraudulent storefronts may be optimized to appear in search results for specific product names, branded queries, or high-volume holiday deal keywords. During Black Friday or peak shopping periods, users are much more likely to click unfamiliar shop links that appear legitimate in search results.

• Phishing Emails or SMS Campaigns: These operations may also utilize phishing email blasts or SMS promotions, presenting themed messages such as “limited Black Friday stock,” “urgent clearance sale,” or “holiday mega-discount,” thereby increasing victim click-through rates through urgency-based social engineering.

• Affiliate-Style Redirect Chains & Ads: Threat actors may route victims through redirector pages, compromised coupon blogs, misleading ad placements, or malvertising chains, directing users to the final fake shop domain while obscuring the source.

Collectively, these inferred vectors represent the most plausible methods through which victims are being driven to the fraudulent shop sites — particularly during periods of heightened shopping activity such as Black Friday, Cyber Monday, and Christmas sales, when user susceptibility to “too good to be true” offers is significantly elevated.

‍

‍

Leveraging The CloudSEK Platform

By applying the keywords, indicators, and template-based patterns identified throughout this analysis, the CloudSEK Platform was able to surface additional fake pages and suspicious domains potentially linked to the two clusters discussed above. Using continuous internet-wide crawling and keyword-driven detection, the platform flagged domains that appeared to impersonate well-known brands, abuse brand names, or reuse the same holiday-themed templates. This enabled the identification of multiple potential phishing and fake shop domains exhibiting similar infrastructure traits, resource usage, and UI elements, further validating the breadth and scale of the observed activity.

Impact

• Financial Losses to Consumers: Victims experience direct monetary theft through unauthorized card transactions initiated after entering payment data into fake holiday-themed storefronts. These losses often remain unrecoverable due to offshore hosting and fast-disappearing scam domains.

• Exposure of Sensitive Personal & Financial Data: Fake shops harvest full billing, credit card, and identity details—often sent via insecure GET parameters—leading to long-term risks of identity fraud, account takeover, and resale of victim data on underground markets.

• Erosion of Trust in Legitimate Retailers: Scams impersonating major U.S. brands damage public trust, causing consumers to mistakenly associate fraudulent activity with legitimate companies and overwhelming brands with refund requests and dispute claims.

• Operational Burden on Banks & Payment Providers: Financial institutions face spikes in chargebacks, fraud alerts, and dispute investigations as scammers exploit stolen payment information, particularly during Black Friday–level transaction volume.

• Amplification via SEO & Online Advertising Abuse: Scammers weaponize search engine optimization and potentially paid ad platforms (including Meta Ads) to increase visibility during holiday sales, making malicious shops appear legitimate to unsuspecting users.

• Exploitation of Messaging Platforms for Link Distribution: Potential spreading of malicious shop URLs via WhatsApp, Telegram, and other private channels increases reach, enabling scammers to target victims with personalized or group-based holiday discount pitches.

• Large-Scale Automated Deployment: With hundreds to thousands of domains sharing identical templates and scripts, scammers rapidly deploy and re-theme fake stores for each holiday season, maximizing victim impact through high-volume automation.

Conclusion & Key Indicators to Safeguard Yourself

Holiday-themed fake shop campaigns have become highly polished, fast-moving, and automated - designed to exploit the rush of Black Friday, Cyber Monday, and Christmas sales. These sites often look convincing but rely on predictable patterns: urgency tactics (“Rush Buying,” “Tight Inventory”), fake “Certified” seals, and domain names that mimic popular brands using words like safe, fast, sale, or obvious misspellings. Understanding these flags helps even non-technical shoppers recognize when a storefront may not be legitimate.

To stay protected, watch for specific indicators frequently observed in fake holiday shops:

• Flashy red or bright banners with aggressive messages (“Limited Time!”, “Flash Sale!”, “Only Today!”) designed to induce urgency.
• Brand names combined with extra words like safe, fast, deal, sale, us, shop - e.g., brandname-safe.shop.
• Recently created domains (often registered within weeks or couple months of Black Friday or other holidays).
• No real/official contact information - only a form or a generic personal email (Gmail) or unofficial illegitimate company email (like eg. service@samsunghugesale.shop)
• Pop-ups claiming “Recent purchase by John…” or flashy countdown timers.
• Websites with identical layouts across differently named stores - a strong sign of templated scam kits.

If you notice even one or two of these signs, it’s safest to avoid the purchase and verify the deal directly on the brand’s official website. By staying alert to these concrete indicators, shoppers can navigate the holiday season more safely and avoid falling prey to the growing wave of fake shop scams.

‍