Holiday Season Sees Surge in Fake Shopping Domains Used by Threat Actors to Target Users

As global shopping events like Black Friday and Singles’ Day drew consumer attention this year, researchers at PreCrime Labs, the research arm of BforeAI, identified a large-scale campaign exploiting fake online store domains to impersonate legitimate retail brands.

The operation, active since early 2025, uses 244 fraudulent domains to trick users into financial fraud and, in some cases, to deliver malware via counterfeit checkout systems.

The campaign relies on industrial-scale domain registration, automated infrastructure deployment, and DNS configuration to mimic the look and feel of well-known retailers such as Zalando, Lululemon, Dr. Martens, IKEA, and Birkenstock.

Analysts observed that the fake domains often replicate brand templates, product pages, and checkout URLs nearly identical to the originals, making them difficult for consumers to detect.

Coordinated Infrastructure Abuse Linked to Chinese Registrars

The investigation traced the fake domains across 43 registrars, with West263 International Limited and Dynadot Inc. identified as the top sources of abuse.

The majority of malicious activity was linked to Chinese infrastructure providers, with China accounting for 79 of the total domains. Several other registrars, NameSilo, Alibaba Cloud/HiChina, and Sav.com, were also used repeatedly by the threat actors.

PreCrime Labs telemetry indicated that these attackers used privacy-protected WHOIS data, automated domain churn, and DNS parking tactics to quickly deploy and rotate fake sites.

The most abused nameserver, ns1.dyna-ns.net, was used across 33 domains, indicating a tightly connected hosting infrastructure and shared back-end servers.

Tools such as DNSlytics and ASN correlation further showed that even domains registered in Europe or the U.S. resolved to Chinese networks.

Fake Retail Sites Exploit Holiday Sales Events

Domain registration patterns showed a sharp spike in October 2025, with 78 new domains set up ahead of major shopping promotions.

The campaign also leveraged social media ads on TikTok, Facebook, and Google Shopping to lure unsuspecting shoppers with fake sales and “flash deal” offers. Some campaigns exhibited unusual behavior.

For instance, the website peaceforsecurity[.]com disguised itself as a women’s clothing boutique, an example of what researchers call an agenda-oriented campaign, possibly to evade detection or align with trending humanitarian messages.

Others mixed unrelated brand names, such as lululemonsalehub[.]com, which used Lululemon branding to promote non-related products.

PreCrime Labs has escalated confirmed fraudulent domains to registrars such as GMO and Dynadot for immediate suspension, and several hosting clusters have already been taken offline.

The team has also added identified Indicators of Compromise (IOCs) to its PreCrime Watchlist to prevent future abuse.

According to BforeAI, this coordinated infrastructure reflects a growing “fraud-as-a-service” ecosystem that can rapidly scale operations.

With threat actors now automating the creation of counterfeit stores, researchers warn that vigilance will be crucial throughout the holiday season and beyond.

Find this Story Interesting! Follow us on Google News , LinkedIn and X to Get More Instant Updates

The post Holiday Season Sees Surge in Fake Shopping Domains Used by Threat Actors to Target Users appeared first on Cyber Security News.