© Insider Narrative. All Rights Reserved.
E-commerce

The Black Friday Cyber Crime Economy: Surge in Fraudulent Domains and eCommerce Scams

This post was originally published on this site.

Guest blog courtesy of Check Point.

Key findings

  • Malicious activity is rising, with 1 in 11 newly registered Black Friday-themed domains classified as harmful.
  • Brand impersonation remains a primary tactic, with 1 in 25 new domains related to the reputable ecommerce marketplaces of Amazon, AliExpress, and Alibaba flagged as malicious.
  • Attackers are deploying convincing fake storefronts that copy logos, layouts, and product imagery to capture credentials and payment data.
  • Recent campaigns impersonating HOKA athletic footwear brand and AliExpress ecommerce site demonstrate active phishing operations tied to Black Friday promotions.

    • Fraudulent Black Friday Domains Continue to Climb

    Seasonal shopping periods regularly trigger domain registration spikes, and criminal actors capitalize on the opportunity to camouflage fraudulent infrastructure. October saw 158 new Black Friday related domains, a staggering 93 percent increase over the 2025 monthly average. Early November intensified that growth, with more than 330 new related domains appearing in only the first 10 days.

    This pace aligns with historical behavior. In 2024, Black Friday domain registration grew 188 percent between October and November. Based on current trends, hundreds of additional domains are likely to appear before month’s end.

    Among all new domains observed in October and early November, 1 in 11 was classified as malicious.

    A clear subgroup of these malicious domains use a structured naming pattern that combines the year 2025, a country name (primarily Spain, Italy and Germany), and Black Friday terminology. Examples include:

  • 2025germanyblackfriday[.]com
  • germany2025blackfridaystores[.]com
  • italyblackfriday2025[.]com
  • spain2025blackfridayshop[.]com

    • Suffixes such as shop, mall, stores, and factory appear frequently, suggesting automated templates or bulk registration tooling.

    As of November 17th, most of these websites are inaccessible; however, the Italian websites are active. All share very similar visual templates with different generic logos such as “ClickShop”, “ShopPay” “SmartShopping.” The websites all contain large images seemingly taken from image repositories (some even include watermarks), pictures of various items on “sale,” and in some cases, also include internal links that mention known brands like H&M, Mango, Columbia, and Ovs.

    The examples suggest a tailored campaign, with an active site using Italian and the other sites likely configured for German and Spanish on the other websites. These additional sites are currently inactive, although they may have been active in the past or could become active again. Such an operation, including all the content, is one that current generative AI tools can perform much quicker and easier. Creating and localizing this type of operation is significantly faster and easier with modern generative AI tools. While there is no clear evidence that AI was used in these specific cases, attackers are increasingly adopting such tools, which will make future campaigns broader, more targeted, and more difficult to detect.

    Example of the Italian Black Friday fake websites (italyblackfriday2025[.]com)

    Surge in Domains Impersonating Major ECommerce Brands

    In addition to the seasonal Black Friday themes, brand abuse remains a reliable driver of cyber crime, especially around this time. In October 2025, researchers identified 1,519 new domains referencing reputable ecommerce marketplace sites of Amazon, AliExpress, or Alibaba. This represents a 24 percent increase over September 2025 and a 12 percent increase compared to October 2024. Of these websites, 1 in every 25 was identified as posing an active threat.

    Case Study: HOKA Black Friday Scam

    The domain hokablackfriday[.]com hosted a fraudulent site impersonating the athletic footwear brand HOKA. The site used:

  • The official logo
  • High quality product images
  • Deeply discounted prices to generate urgency

    • Registered on 24 October 2025, the domain was flagged as phishing. The campaign sought to steal personal information, account credentials, and credit card data entered during a fake checkout process.

    Fake HOKA Black Friday website impersonating the brand’s official online store.

    Case Study: AliExpress Phishing Scam

    The site aliexpress62[.]com closely replicated the look and feel of the legitimate AliExpress platform, including branded elements and promotional content.

    Registered on October 5th, we identified that the domain was used to harvest personal information, AliExpress login credentials, and payment card details.

    Fake AliExpress website impersonating the brand’s official online store.

    Recommendations for Cyber Security Professionals

    The volume and structure of these domain registrations illustrate a coordinated and scalable cyber crime ecosystem, which will likely only intensify and become more sophisticated with the adoption of generative AI tools by the threat actors. Cyber security professionals should take targeted steps to reduce exposure during peak shopping periods:

  • Monitor spikes in newly registered domains referencing brands, retail terms, and predictable naming templates.
  • Deploy endpoint protections to block access to malicious or newly registered domains, prevent credential harvesting, and stop phishing sites before users interact with them.
  • Leverage an external risk-management solution to continuously discover internet-facing assets, detect domain and brand impersonation, and automate takedowns of fraudulent infrastructure.
  • Provide clear internal and external guidance outlining how to verify URLs and avoid seasonal phishing lures.
  • Enhance fraud controls for payment workflows, including risk scoring for transactions originating from newly registered domains.

    • A proactive, intelligence-driven approach is essential as attackers automate domain creation, expand impersonation strategies, and exploit the high volume of online transactions surrounding Black Friday.