Editor’s Note: This blog was written by our teammates at Digital Shadows (now ReliaQuest) to align with the new SOC Talk installment: Keeping Black Friday Cyber Threats at Bay.

The tail end of the calendar year represents arguably the most important period for retailers and companies working in e-commerce, with a huge amount of yearly profits determined in the penultimate two months of the year. This profit is largely generated through the two biggest online sales events of the year, Black Friday and Cyber Monday. Keeping online retail stores running, while also ensuring that customer’s data is protected, is absolutely essential during this period. In this blog, we will give you a run down of the key threats you need to consider over the coming weeks.

Black Friday: A Time of Opportunity and Risk

The Black Friday period represents a hugely profitable yet perilous time for online retailers. Maintaining operations, and the ability to receive and process online orders, is absolutely essential at this time, with outages of even just a few hours likely to result in huge losses. This was a common sentiment during our discussion with clients in the past month, who identified that business continuity was the most important consideration for Black Friday. Although the data is a couple of years old, this sentiment can be seen in the graphic below, highlighting online sales volume by month.

A chart showing a drastic increase in annual online sales volume in the months of November and December

Online sales volume by month (Source: SaleCycle)

Finding the Imposters: Typosquatting and Impersonating Domains

Last year’s blog on Black Friday identified many of the threats facing consumers during this time of heightened ecommerce activity. This includes an abundance of Black Friday related phishing scams and fake infrastructure. Threat actors creating malicious infrastructure—including impersonating domains, fake mobile applications, and malicious emails—will likely use the event to harvest users’ financial and personally identifiable information (PII).

How can you spot these fraudulent sites? The best method is simple mindfulness and using increased vigilance during this period. Be aware of anything that lands in your inbox unannounced, or otherwise expresses a requirement for urgency; as my father frequently tells me, there’s no such thing as a free lunch and if something appears too good to be true, it probably is.

Anything that looks out of place in an email or on a domain is key to spotting a scam. Spelling mistakes, branding disparities, or of course, the classic tactic of deliberating misspelling a URL. Typosquatting is a common and effective threat that leverages users’ unsafe browsing habits. For example, a website spoofing Digital Shadows (now ReliaQuest) might present as www.digital5hadows[.]com. An alternate approach often taken by fraudsters is to change a website domain extension, or to use a fake website with a country code top layer domain (ccTLD); this affixes a domain extension that is most commonly assigned to websites associated with a country or sovereign state.

A screenshot showing an impersonating site selling a set of tools for $99, reduced from $659

Impersonating domains will often offer wildly appealing deals. Don’t fall for them (Source: Fortinet) 

During the research for this blog, we compiled a list of 40 well known retailers and used SearchLight (now ReliaQuest’s GreyMatter Digital Risk Protection) to find associated impersonating domains. Digital Shadows (now ReliaQuest) identified approximately 14,000 impersonating domains, which were identified by searching between 30 Oct 2022 and 01 Nov 2022. Results were found after starting with 40 seed domains—which refer to a starting point in which we can identify any impersonating material—typically reflecting the retailer’s main website. While this number appears large, in reality it’s just a fraction of the fake domains that are being created every day. This of course doesn’t affect just larger retailers, lesser known brands are just as likely to elicit malicious attention.

For retailers, the best method of staying on top of the many impersonating domains that will surface at this time is to use a DRP service like that offered by Digital Shadows (now ReliaQuest). By using this service you’ll be able to identify brand infringements as they occur, triage the risk over time, and remediate when required. SearchLight’s customized alerting is capable of spotting malicious infrastructure masquerading as your brand, whether that be via domain names, assets types or intellectual property, or even malicious use of company logos. Our managed takedown service can also assist with removing impersonating material, whether that be a phishing site, a fake mobile application, or other infringing content. If you’d like to learn more, why not take a test drive of SearchLight.

The Persistence of Magecart

Magecart, a term often used interchangeably with credit card skimmers or formjacking, entered the common cyber threat lexicon in 2018. British Airways, Ticketmaster, and NewEgg were three of the first victims of this type of threat, with customers’ credit card details stolen after the company’s e-commerce websites were compromised by malware. Magecart allows threat actors to steal credit card information by adding unique scripts into the source code of susceptible payment webpages. Malicious code is typically hidden within an HTML comment, so that it appears benign when placed in the source code. Magecart is designed to read information entered into payment forms on checkout pages, before sending data back to a remote computer controlled by attackers.


Magecart attack cycle. Step 1: Attacker compromises website and injects script for code skimmer. Step 2: Victim executes script. Step 3: Card skimmer grabs payment information and sends to exfiltration server. Step 4: Attacker receives stolen payment information.

Magecart attack lifecycle (Source: Trend Micro)

Magecart is attractive to attackers as they only need to compromise a single third party script operating on a site. If undetected, an attack can impact hundreds or even thousands of consumers before the retailer is able to identify anything has happened. As Magecart attacks frequently target vulnerabilities within third party scripts and software, the emphasis in mitigating this activity should be placed on understanding what third party services operate on sites, before minimizing their use where possible. Managing this risk can also be achieved by maintaining compliance with Payment Card Industry Data Security Standards (PCI DSS); PCI DSS is a set of security standards designed to ensure that all companies that accept, process, store, or transmit credit card information maintain a secure environment.

Ransomware, DDoS, Data Breach: All the Extortion

Extortion attacks represent arguably the biggest current cyber threat to business. We’ve written at length over the significant risk posed by ransomware activity, however extortionists in 2022 have used a variety of methods to solicit ransom payments from victims. One that is particularly pertinent during the Black Friday period is distributed denial of service (DDoS) attacks. Originally thought of as a declining attack vector or primarily used as a distraction for more pernicious activity, DDoS has seen a resurgence in 2022—particularly in the context of the Russia – Ukraine war. Hacktivists actors on both sides of the war have used DDoS to try and influence the outcome of the conflict; it is believed that during the first 6 months of the conflict DDoS activity trebled when compared with the first six months of 2021.

Digital Shadows (now ReliaQuest) has also identified a demonstrable increase in data breaches being used as the solitary angle for extortion. In the attacks, threat actors will deliberately exfiltrate sensitive data before threatening to post it onto a dedicated data leak site—reminiscent of ransomware double-extortion attacks. Of course, additional eyes scrutiny of a retailer during Black Friday will only serve to increase any reputational and business risk associated with a data breach, particularly if customer PII or financial data is exposed.

So at this particularly important time, how can you keep your services up and running, with data free from the risk of theft? A huge amount of cyber risk can be lowered by focussing on managing your company’s attack surface. This is a process that aims to continuously discover, classify, and assess the security of your IT ecosystem. Before Black Friday, aim to identify what your assets are, what you have visibility of, and what gaps in visibility you might have. At this point, an assessment can be made on any shortcomings that might be present. This could include unnecessary exposure of remote services, over reliance on redundant third party scripts on certain websites, or unpatched exploitable vulnerabilities. Focussing on fixing these common access vectors can greatly reduce the chance of your services being impacted during this hugely important time of the year.

Protect your organization’s web presence with ReliaQuest GreyMatter Digital Risk Protection. GreyMatter DRP provides continuous monitoring of deep and dark web sources to isolate legitimate threats and provide real-time alerting and fast remediation.