Threat Research

Black Friday Brand Impersonation Scams

Securonix
Black Friday Brand Impersonation Scams

Threat actors exploited the high volume of legitimate Black Friday marketing to run convincing phishing campaigns impersonating retailers like Amazon and Louis Vuitton, using newly registered domains, redirects, and cloud-hosted links to harvest credentials or deliver payloads. Darktrace / EMAIL detected and blocked multiple such campaigns in November 2025 by identifying anomalous senders, short-lived domains, and hidden malicious links #Amazon #Darktrace

Keypoints

  • Black Friday marketing volume creates an ideal environment for targeted phishing that mimics legitimate retail emails.
  • Threat actors impersonated major brands (notably Amazon and Louis Vuitton) using realistic branding and urgency-driven subject lines.
  • Attackers relied on newly registered or short-lived domains, redirect chains, and cloud storage links (e.g., storage.googleapis[.]com) to evade detection.
  • Darktrace / EMAIL’s anomaly-based detection identified and held multiple malicious emails before they reached recipients in November 2025.
  • Examples included domains petplatz[.]com, bookaaatop[.]ru, xn--80aaae9btead2a[.]xn--p1ai, x.wwwtopsalebooks[.]ru, and luxy-rox[.]com.
  • Campaigns combined psychological manipulation (urgency, exclusivity, luxury offers) with technical evasion to increase click-through and credential-harvesting risk.
  • Recommendations include reinforcing user awareness, link inspection practices, and anomaly-based email detection during retail-heavy periods.

MITRE Techniques

  • [T1566 ] Phishing – Attackers used emails impersonating trusted retailers and urgency-driven messaging to obtain credentials or deliver payloads (‘targeted phishing campaigns designed to mimic legitimate retail emails’)

Indicators of Compromise

  • [Hostname ] phishing and spam domains observed in campaigns – petplatz[.]com, bookaaatop[.]ru
  • [Hostname ] malicious international domains used in redirects – xn--80aaae9btead2a[.]xn--p1ai (топааабоок[.]рф), luxy-rox[.]com
  • [URL ] malicious redirect and hosting endpoints – hxxps://x.wwwtopsalebooks[.]ru/…/d65fg4er[.]html, storage.googleapis[.]com (linked as a hidden “CLICK HERE” target)
  • [Email address ] suspicious sender used to masquerade as a brand – rskkqxyu@bookaaatop[.]ru

Read more: https://www.darktrace.com/blog/from-amazon-to-louis-vuitton-how-darktrace-detects-black-friday-phishing-attacks

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint