Black Friday. You love it, you hate it, you love to hate it. Whether you’re already getting your finances in order for a deal on a new TV or dreading the thought of having to face hordes of frenzied shoppers: We’re all familiar with the idea of Black Friday (and the e-commerce-focused Cyber Monday). Although their roots lie in the United States, shopping holidays in general have quickly gained traction to become global phenomena. For example, over the entire Black Friday/Cyber Monday weekend in 2018, shoppers in the United States spent about $7.9 billion.

Consumers and retailers alike can benefit from a seasonal surge of trade resulting from heavily discounted goods, but Black Friday and Cyber Monday aren’t the only shopping holidays out there. After all, the name “Black Friday” signifies the one day out of the year that retailers are “in the black”, meaning they’ve made a profit for the day, as opposed to being “in the red”. Amazon, one of the world’s largest e-commerce platforms, annually hosts its own annual event in the middle of July: Prime Day. A midsummer answer to Cyber Monday, Amazon Prime members can expect deals to last around 36 hours. Although Amazon typically doesn’t release exact figures, customers around the world purchased over 175 million items on Prime Day 2019, breaking records from the previous year. And if that isn’t enough, there’s also China’s Singles’ Day, or 11/11: A Chinese holiday where people celebrate… well, being single… but it also just happens to be the world’s biggest day for shopping. The Alibaba Group, which owns popular retail marketplaces like AliExpress, Taobao, and Tmall, brought in record-breaking figures of $38.4 billion in just a 24 hour shopping period this year, blowing Black Friday sales in the United States out of the water.

Black Friday and cybercriminal PR strategies

Such sales numbers consistently break records year after year, but popular retailers aren’t the only ones that profit from these events. The cybercriminal landscape has taken note of the sheer popularity of shopping holidays like Black Friday, and have adopted similar approaches to promote the sale of less savory items. The admin of BriansClub, an automated vending cart (better known as an AVC), for example, was recently spotted advertising Black Friday deals of their own, offering extra discounts for customers who spend over USD $500.

Briansclub admin advertising black friday telegram

BriansClub admin advertising Black Friday deals on Telegram

BriansClub, which specializes in the sale of credit cards and other financial information, recently suffered a targeted attack on its data center, resulting in the exposure of around 26 million stolen credit and debit cards. Using Black Friday to offer substantial discounts could be a good outreach strategy to get customers back after facing widespread negative publicity.

Cybercriminals in search of deals

People are always on the lookout for deals, whether you’re a regular consumer or a cybercriminal on the deep and dark web. Members of sites like BlackHatWorld, a forum focused on black-hat search engine optimization (SEO) strategies, will create threads dedicated to sharing deals that members come across. As eager as ever, these can start months ahead of when Black Friday starts, littered with people posting comments reading “following this thread” so that they can be notified as soon as a new deal is posted. Forum moderators will often create threads themselves in an attempt to crack down on repetitive posts and centralize discussion, a testament to the popularity of shopping holidays.

black friday cyber monday blackhatworld

Black Friday/Cyber Monday-dedicated thread created by a BlackHatWorld moderator


These types of threads are also an opportunity for forum members to advertise their services, and although affiliate links are typically frowned upon, Black Friday deals are often accompanied by large, attention-grabbing banners for maximum exposure.

blackhatworld cyber monday advertisement

A Cyber Monday advertisement on BlackHatWorld

Some dark web marketplaces will also host centralized shopping events of their own. For example, UnderMarket 2.0, which sells a variety of goods including stolen credit cards, counterfeit products, and drugs, has an annual event that runs in tandem with the usual Black Friday/Cyber Monday weekend after Thanksgiving. Deals can include a flat 30% discount on everything on the site, as well as extra discounts for buyers who spend over $2,000 at once.

black friday deals on undermarket 2.0

Black Friday 2018 deals on UnderMarket 2.0 (Source: Digital Shadows (now ReliaQuest)’ Shadow Search (now ReliaQuest GreyMatter Digital Risk Protection))


In the cybercriminal landscape, interest in Black Friday, expectedly, peaks on Black Friday itself. With Digital Shadows (now ReliaQuest)’ Shadow Search (now ReliaQuest GreyMatter Digital Risk Protection), we can compare mentions of Black Friday across chat messages, forum posts, and dark web pages. In both 2017 and 2018, where Black Friday fell on November 23 and 24 respectively, mentions drastically spiked. In 2018, however, there was an increase in general interest in Black Friday-related discussions in the days leading up to the shopping weekend. For 2019 we can likely expect a similar pattern on and around November 29.

black friday mentions on dark web 2017

black friday mentions on dark web 2018

Mentions of Black Friday across chat messages, forum posts, and dark web pages from November 1 to December 1 in 2017 and 2018 (Source: Digital Shadows (now ReliaQuest)’ Shadow Search (now ReliaQuest GreyMatter Digital Risk Protection))

Deals can also pop up outside of the typical winter shopping season; “Black Friday” has become synonymous with getting great deals. Vendors on places like dark web marketplaces know that when a potential customer sees the term “Black Friday”, they’ll likely be attracted to the idea of saving some money, regardless of what season it is. The below screenshot from the dark web marketplace Cryptonia highlights a Black Friday advertisement outside of the winter season.

cryptonia dark web black friday advertisement

Advertisement for “Black Friday” drug deals on the dark web marketplace Cryptonia


Black Friday: A chance for cybercriminals to enhance their tooling

Even if vendors aren’t offering deals on stolen consumer data, Black Friday can also serve as an opportunity for cybercriminals to improve their toolset. Discounts on SEO kits, HTTPS/SOCKS proxies, and virtual private network (VPN) services are common and are hot commodities for the cybercriminal on a budget. For example, a sale on black hat SEO strategies and backlink software could further facilitate cybercrime around Black Friday by allowing cybercriminals to push malicious sites higher on search results, allowing them to reach a larger audience. These have long-lasting potential, and a good Black Friday deal on the missing piece of a cybercriminal’s arsenal can be used no matter what time of year. The possibilities are endless.


GSA software coupons on blackhatworld black friday

GSA software coupons on BlackHatWorld


VPN and proxy deals on breachforums black friday

VPN and proxy deals on breachforums black friday 2

VPN and proxy deals on BreachForums


Shopping holidays in the Russian landscape

In places where Black Friday isn’t as popular as it is in the English-speaking world, cybercriminals similarly mirror their respective country’s most popular shopping season. One of the biggest shopping seasons in Russia, for example, takes place around the New Year. On the Russian-language criminal forum XSS, vendors will typically offer Black Friday-like discounts on their products. Like clockwork, deals pop up year after year.

new year sale on XSS dark web

New Year sale on XSS (Translation: “In honor of the new year I’m doing a pre New Year’s discount of 50%. The discount runs from 17 to 30 December.”)


But even in countries where Black Friday is overshadowed by more popular local shopping seasons, the phrase still has name recognition. Even users on Russian-language hacking forums like wMasteru will post listings that include mentions of Black Friday, likely in an attempt to increase traffic and visibility.

forum post wMasteru advertising black friday

A forum post on wMasteru advertising Black Friday sweepstakes

How to stay safe as a consumer or retailer during the holidays

In addition to great deals and savings, the holiday season can also bring an increased risk of financial loss. As more and more people turn to online shopping, cybercriminals are provided with a much larger landscape to conduct fraud. There are several steps that both retailers and consumers can do to curb fraud and ensure staying safe while shopping.

For consumers:

  • Be mindful of where you shop: Before putting your personal or financial information into a website, make sure that you’re on the site you intend to be on. Phishing sites that seek to steal your information are incredibly common, and a keen eye that looks for unusual characters in the URL or on the web page can make all the difference. Always ensure you shop via reputable and official vendors; even on Black Friday, if a deal seems too good to be true, then it probably is.
  • Don’t always trust the padlock: If a site has a valid certificate and is using HTTPS, it doesn’t automatically mean that your data is secure; some certificates are free, and attackers can also easily purchase e-commerce sites with valid certificates on criminal marketplaces.
  • Don’t make the mistake of buying counterfeit goods: Fraudsters may use the hype of Black Friday to push fake products. Be suspicious about sales, prices, and deals that are well below the standard going price (even on Black Friday).
  • Watch out for card skimmers: If you’re brave enough to tackle the crowds and prefer to do your shopping in person (what a surprise!), always be on the lookout for indicators that a payment terminal has been compromised. Card skimmers have become sophisticated over the past few years, but an out of place wire or suspicious-looking PIN pad can be telltale signs of a poorly-implemented skimmer.
  • Take some time to monitor your accounts: If you happen to find yourself the victim of fraud, constant account checkups can be useful to catch fraudulent activity before it can do even more damage. Contact your bank or card issuer immediately if you identify any suspicious purchases.

For retailers:

  • Be diligent about your supply chain: Point of sale (POS) devices are prime targets, so make sure they are protected and monitored regularly for suspicious activity. Besides POS devices, don’t forget about third-party vendors such as your HVAC vendor, IT services, third-party software, etc. Have a defined supply chain onboarding process to include a robust vendor review, implement least privilege access, ensure there are strict security controls, and remember to revisit every step on a regular basis or if the scope of the vendor partnership changes.
  • Use payer authentication and validation: Requiring card verification numbers (CVNs), using an address verification service (AVS), or using a 3-D Secure payer authentication service can help reduce the use of stolen credit cards.
  • Monitor cracking forums for mentions of your company: The presence of your company domain on a criminal forum is a good indication you are being targeted by credential stuffing tools.
  • Use anti-CNP (Card-Not-Present) tools to validate transactions: Device fingerprinting, customer history, velocity monitoring, and negative lists (in-house or shared) are all valuable tools to disrupt fraudsters.
  • Plan ahead and stay one step ahead of cybercrime: Have a process in place to handle compromised customer accounts, be prepared to deal with extortion scenarios, and use threat intelligence to track actors and understand their threat level.

Retail and e-commerce organizations have a wealth of sensitive data and deep supply chains that can expose your business, customers, and brand to a wide variety of digital risks. To learn more around how we help retailers and other businesses monitor for risks on the open, deep, and dark web, try our solution, Search Light (now ReliaQuest GreyMatter Digital Risk Protection), free for yourself with a demo request here.

Happy shopping!

Want to learn more about risks to retail? Check out our full resources for retailers here

Top Cyber Threats to the Retail Sector