Black Friday and Cyber Monday are two of the most-awaited shopping events each year. That said, they have also become favored scammer targets for the most ingenious campaigns designed to part shoppers with their cash or, worse, identities.

Over the years, we’ve seen the worst Black Friday and Cyber Monday scams—fake order, phony tracking number, bogus website, hot deal, and fake charity scams—line cybercriminals’ pockets. We’re quite certain we’ll see many of them this year as well.

We at Threat Intelligence Platform (TIP) thus sought to exert due diligence to hopefully lessen the risks online shoppers may face. Our in-depth investigation uncovered:

• 180 domains created between 1 January and 31 October 2022 containing the strings “blackfriday + sale,” “blackfriday + deal,” “blackfriday + discount,” “blackfriday + coupon,” “blackfriday + gift,” “cybermonday + sale,” “cybermonday + deal,” “cybermonday + discount,” “cybermonday + coupon,” and “cybermonday + gift”
• 178 subdomains that made their way into the DNS between 1 January and 31 October 2022 containing the same strings above that scammers were likely to use in their campaigns
• Six unredacted registrant email addresses used to register 4,519 domains, 34 of which were dubbed “malicious” by various malware engines
• 273 IP hosts shared by at least 36,973 domains and subdomains, 61 of which were confirmed either malware hosts or spam-sending properties

A sample of the additional artifacts obtained from our analysis is available for download from our website.

A Deep Foray into the DNS Reveals the Potential Phishing Surface

We began our investigation by scouring the DNS for domains and subdomains created just this year that could serve as potential vehicles for Black Friday and Cyber Monday-related scams. Our searches led to the discovery of 358 web properties—180 domains and 178 subdomains specifically.

A majority of the domains (47 or 25%) were created just last month while 42% of the subdomains or 77 to be exact were found as soon as the year began. The chart below shows a comparison of the domain and subdomain registration growth volumes throughout the year.

Based on the domain registration volume trend, the highest number of potential scam page hosts were created about two months before the events. The subdomain addition volume trend, meanwhile, peaked in January.

TIP screenshots showed that 30 of the domains and 66 subdomains currently host live content. Examples of those that look like online shopping pages are shown below.

Closer scrutiny of the web properties also revealed that a majority of both the domains (96) and subdomains (103) contained the string “deal.” Note, though, that each string can appear in more than one cyber resource.

The top 3 domain strings that appeared alongside “blackfriday” or “cybermonday” were “deal,” “sale,” and “coupon,” as shown in the word cloud below.

“Deal,” “sale,” and “discount,” on the other hand, were most used among the subdomains, as shown below.

An Even Deeper Dive to Uncover More Artifacts

Interestingly, the pages’ WHOIS records showed that only nine of the domains and subdomains were likely owned by legitimate businesses based on the registrant email addresses their owners indicated. We couldn’t exactly determine the ownership legitimacy of the remaining 191 web properties whose WHOIS records have been redacted.

We were, however, able to retrieve six unredacted registrant email addresses that have been used to register 4,519 domains throughout their existence. A bulk TIP malware check showed that 34 of these were dubbed “malicious” by various malware engines.

TIP IP geolocation data also showed that 305 of the digital properties resolved to 484 IP addresses, most of which were geolocated in the U.S. (285) and Canada (57), which isn’t surprising since the events have to do with Thanksgiving Day celebrations. What is a bit surprising, though, is that some IP addresses were geolocated in countries that don’t celebrate the holiday, such as Germany, South Korea, and the Netherlands, among 20 others. A possible explanation is that these countries may have local celebrations.

Additionally, 273 of the IP hosts were shared by at least 36,973 domains and subdomains, 61 of which were confirmed malicious—60 were malware hosts and one was a spam sender.

While none of the Black Friday and Cyber Monday-related domains and subdomains we uncovered have been dubbed “malicious,” many of them could be hacked or weaponized to serve as malware hosts or phishing pages. Our more in-depth investigation, however, led to the discovery of 95 malicious web properties tied to the Black Friday and Cyber Monday domains and subdomains initially found, either by shared registrants or IP hosts, that could put online shoppers at great risk.

TIP, aided by WHOIS and DNS tools, through phishing surface identification and IoC list expansion efforts, can thus help organizations and individuals alike avoid the by-product perils that the biggest sales events of each year may bring.

If you wish to perform a similar investigation or get access to the full data behind this research, please don’t hesitate to contact us.