More Than 2,000 Holiday-Themed Scam Stores Launched to Steal Online Payments

As Black Friday and Cyber Monday approach, internet shoppers are facing a massive surge of holiday-themed scam stores designed to capture payment data and steal money.

More than 2,000 newly discovered fraudulent websites, including more than 750 Amazon-related typosquat domains and over 1,000 .shop sites mimicking well-known brands, have been explicitly activated for the 2025 holiday shopping season.

These scam stores use advanced web templates that closely imitate the look of legitimate retailers, featuring flashy banners, countdown timers, fake trust badges, and fabricated pop-ups claiming items are selling out or that other customers just made purchases.

These psychological tricks urge consumers to act quickly, increasing their likelihood of falling for the scam.

The first central cluster, identified using patterns from previous years’ scams, relies on Amazon-themed typosquatting domains that replicate Amazon’s branding and urgency tactics.

Sites display names that mix the brand with extra words such as “box,” “pallet,” “sale,” and “lucky,” and use aggressive messages like “Rush Buying” or “Tight Inventory.”

A shared content delivery network—cdn.cloud360[.]top—hosts holiday assets and templates, reinforcing suspicion of a centralized scam kit.

The checkout pages on these sites collect full payment details, which are then funneled to attackers via unflagged “shell” merchant websites.

These shell domains, often registered in China, reroute PayPal and credit card processing, making fraud more challenging to detect and preventing payment companies from blocking transactions in real time.

Branded .shop Domains and Advanced Fraud Tactics

A second coordinated group is abusing the .shop top-level domain, with over a thousand websites impersonating popular brands such as Apple, Samsung, Ray-Ban, Dell, and more.

These sites are built around a single reusable Black Friday web template identified by distinctive modal dialogues and a consistent JavaScript file hash.

Some scam domains remain in “coming soon” mode months before the holidays, only to activate instantly just before peak shopping periods.

Ongoing detection suggests this network alone may span hundreds of thousands of automatically generated fake storefronts, as uncovered by large-scale internet scans using platform tools.

Many fraudulent .shop domains are hidden behind Cloudflare’s reverse proxy, making it hard for authorities to trace their origin. Technical evidence from hosting records links these domains to centralized infrastructure providers.

At the same time, WHOIS data shows a suspiciously high concentration of young domain registrations (most registered within weeks or months of Black Friday) from obscure registrars.

Attackers optimize these fraudulent shops for search results, buy ads on social media platforms, and use messaging apps and email spam to lure victims with “exclusive holiday deals.”

Once victims enter their payment details, scammers quickly trigger chargebacks, identity theft, and unrecoverable financial losses.

Holiday shoppers are urged to watch for warning signs: bright banners urging immediate action, extra words mixed into brand-like domain names, sites without legitimate contact information, and uniform layouts across many “deals” sites.

If any of these signs appear, shoppers should avoid purchases and verify directly with official brand websites to stay safe during peak sales events.

Find this Story Interesting! Follow us on Google News , LinkedIn and X to Get More Instant Updates

The post More Than 2,000 Holiday-Themed Scam Stores Launched to Steal Online Payments appeared first on Cyber Security News.