Industrial-Scale Retail Brand Impersonation and Malvertising Scams During Black Friday
Cybercriminals have launched widespread campaigns impersonating major retail brands through sophisticated malvertising and phishing operations in the lead-up to Black Friday. Attackers are leveraging short-form video ads and modular scam kits to create convincing phantom storefronts and fake survey reward pages, targeting consumers searching for high-demand holiday gifts. These campaigns exploit the seasonal surge in online shopping and the high volume of ad approvals, making it easier for fraudulent ads to slip through and reach large audiences. Brands such as Amazon, Walmart, Home Depot, and others are being impersonated to lure victims into providing personal information or making fraudulent purchases.
Security researchers have observed that these scams are highly industrialized, with over 100 unique domains using similar fraud templates and dynamically swapping brand imagery to match trending products. The threat landscape includes not only traditional phishing and financial malware but also new vectors such as gaming-related scams and malvertising loops that redirect users to fake offers. The scale and sophistication of these operations highlight the need for increased vigilance from both consumers and ad operations teams during peak shopping periods like Black Friday and Cyber Monday.
Timeline
Nov 27, 2025
Darktrace publishes IoCs from Black Friday phishing campaigns
Darktrace disclosed technical details and indicators of compromise from the November 2025 Black Friday phishing activity, including malicious domains and URLs. The report highlighted the use of short-lived infrastructure, cloud storage endpoints, and rapid domain registration to evade defenses.
Nov 26, 2025
CloudSEK identifies over 2,000 holiday-themed fake stores
CloudSEK detected more than 2,000 fake online stores exploiting Black Friday and festive sales, including two major domain clusters mimicking brands such as Amazon, Apple, and Samsung. The stores used shared phishing kits, fake trust signals, and shell checkout pages to harvest financial and personal data.
Nov 24, 2025
Confiant reports Phantom Stores retail impersonation campaign
Confiant published findings on a 'Phantom Stores' campaign spreading ahead of Black Friday, using video ads and modular holiday-themed kits to impersonate retailers. The activity reflects a coordinated fake-store operation tailored for seasonal shopping traffic.
Nov 24, 2025
Large malvertising campaign pushes fake brand reward scams
A large-scale, organized malvertising operation was detected redirecting Black Friday shoppers from legitimate websites to more than 100 domains impersonating major brands. The campaign used polished survey-and-reward pages to steal personal and payment information and showed signs of a single industrialized threat actor.
Nov 1, 2025
Black Friday phishing campaigns intensify during November shopping period
During the Black Friday shopping period in November 2025, Darktrace observed a significant increase in sophisticated phishing campaigns impersonating brands such as Amazon and Louis Vuitton. The campaigns used newly registered domains, redirect chains, and cloud-hosted infrastructure to deliver credential harvesters and scam storefronts.
Nov 1, 2025
Seasonal spam volumes spike in early November
Kaspersky reported heavy seasonal spam activity in early November 2025 as attackers prepared to exploit Black Friday shopping behavior. The activity included brand-themed lures and shopping-related fraud targeting online consumers.
Jan 1, 2025
Kaspersky records Black Friday-related threat activity through 2025
Using telemetry from January through October 2025, Kaspersky observed sustained phishing, scam, spam, and banking-malware activity tied to e-commerce and major sales events. The data showed millions of blocked phishing attempts, widespread brand impersonation, and more than a million banking Trojan detections during the year.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Organizations
Sources
Related Stories
Surge in Fake Online Shops and Holiday Shopping Scams
Cybercriminals are exploiting the holiday shopping season by launching a wave of fake online shops designed to steal financial and personal information from unsuspecting consumers. These fraudulent e-shops often mimic well-known brands or create convincing new storefronts using advanced tools such as artificial intelligence to generate realistic product descriptions and reviews. Security researchers have observed a dramatic increase in blocked fake e-shop attacks, with millions of attempts thwarted globally and a 185% spike in the United States during October compared to earlier in the year. Scammers leverage legitimate e-commerce platforms and seasonal marketing tactics, such as festive banners and countdown timers, to lure victims, while also investing in targeted ads on social media platforms like Facebook and TikTok to drive traffic to their fraudulent sites. The sophistication and scale of these scams have grown, making it increasingly difficult for consumers to distinguish between real and fake online stores. Attackers are not only after immediate financial gain but also seek to harvest personal data for future scams. Security experts recommend heightened vigilance during peak shopping periods, as the combination of urgency, attractive deals, and professional-looking sites increases the risk of falling victim to these schemes. Staying informed about the latest scam tactics and scrutinizing online shops before making purchases are critical steps to avoid financial loss and identity theft during the holiday season.
1 months ago
Surge in Holiday Season Cyber Threats Targeting Retailers and Consumers
Retailers experienced a significant increase in both legitimate and malicious online activity during the 2025 holiday shopping season, with Black Friday setting new records for consumer spending and cyberattacks. Automated bot attacks surged by 50%, targeting authentication, inventory, and transaction workflows, as attackers sought to exploit the extended peak shopping period and blend in with high consumer traffic. This rise in malicious activity underscores the expanding window of exposure for retailers and the need for robust defenses against account takeover attempts and automated abuse. At the same time, consumers and enterprises faced a wave of holiday-themed cyber scams, including business impersonation, phishing, fraudulent invoices, and social engineering attacks leveraging AI and cryptocurrency. Threat actors exploited the seasonal rush, increased online shopping, and distracted staff to launch scams such as fake e-cards, bogus charity requests, and payment fraud. Security experts and government advisories highlighted the importance of heightened vigilance, secure device usage, and careful validation of transactions to mitigate risks during the holiday period.
1 months ago
Holiday Season Surge in Online Shopping Scams and Phishing Attacks
Cybercriminals are intensifying their efforts to exploit consumers and businesses during the holiday shopping season, leveraging tactics such as SMS scams, phishing emails, and fake websites. Attackers use the urgency of holiday deals and the high volume of online transactions to increase the effectiveness of their campaigns, with AI and automation making fraudulent messages and cloned sites more convincing. Notably, the U.S. Federal Trade Commission reported $470 million in losses from text-based scams in 2024, and researchers have observed a significant rise in both the scale and sophistication of these attacks, including the use of deep-fake voices and realistic phishing lures. Businesses are also being targeted, as seen in a campaign where over 5,000 Facebook advertisers received phishing emails sent from the legitimate facebookmail.com domain, exploiting Meta's business features to bypass security filters and steal credentials. High-profile incidents, such as the attack on Marks & Spencer during a peak shopping period, highlight the financial and operational risks posed by these scams. Security experts recommend measures such as multi-factor authentication, password managers, and the use of virtual cards to mitigate risks, while also warning against trusting unsolicited messages or calls, especially those leveraging AI-driven impersonation techniques.
1 months ago