December 23, 2021by Adi Bleih

Shopping Seasons and Scamming Sites

Cybercriminals prepare long in advance for the holiday season - but they won’t need any wrapping paper for what they have in store. ‘Tis the season for phishing, and you’d better watch out.

Wouldn’t it be nice if threat actors could give us a break for the holidays? A short breath of fresh air from the never-ending, year-long influx of attempted cyber-attacks? Unfortunately, this couldn’t be further from reality. With the holiday season fast approaching, threat actors are poised and ready to take advantage of the opportunities that arise with the annual shopping surge. As holiday spending rises, so does the scale and frequency of phishing attacks, with cybercriminals looking to capitalize on the increased spending for their own gain.

In our research of the holiday phishing phenomenon, we discovered something interesting: while most phishing attacks take place between November and December, the underground discourse surrounding phishing tools and tactics peaks several months earlier. This suggests that threat actors lay the groundwork for their phishing attack campaigns long before they are deployed.

Phishing appears in two broad categories on the deep and dark web. First, on underground forums, actors discuss tactics, techniques, and procedures related to phishing. Second, on underground markets, actors sell phishing services and tools, such as kits and templates.

Phishing Discourse

We looked at the total number of mentions pertaining to phishing and any related terms on underground forums. As reflected in the graph below, between January and November 2021, the overall discourse surrounding phishing rose a whopping 200%.

Phishing Forum Activity

Deeper analysis of these posts reflects a general underground-wide search in pursuit of new tools, tactics and techniques to carry out attacks.  In the post below, an actor looking for a “scam page”—underground slang for phishing site—receives several recommendations and offers for custom Gmail, PayPal, Hotmail, and other fraudulent pages.

Further, the example below depicts another conversation between threat actors, this time discussing the various methods and tips for collecting cookies from victims’ computers after they have been duped into opening a scam page. In this particular example, the actor specifies their intention to collect cookies from a PayPal scam site in order to steal credit card data and other sensitive financial credentials.


Phishing Tools and Services

Meanwhile, as the forums discuss and share techniques and tactics, the underground markets brim with buyers and sellers trading the phishing tools and services needed to launch the attacks – including scam page templates and phishing kits. The graph below reflects that the total number of phishing-related products for sale on underground markets peaked in the first quarter of 2021, before dropping significantly in the following months.


This sharp drop seems to imply a decrease in demand, as it requires several months to set up effective phishing campaigns. Actors understand that newly registered domains are generally blocked automatically by anti-phishing mechanisms, and therefore, to launch an effective campaign and avoid detection, they need to register their phishing domains several months in advance.

Let’s take a look at some examples of the phishing kits and templates sold on underground markets:

In the post depicted below, a threat actor advertises a “Wells Fargo” scam page for sale on a popular market for the price of $750. The actor specifies that there are a total of 100 such scam pages available for sale.


In another example, we can see a post sharing an Apple scam page for free download. The post had positive feedback from other actors that allege to have downloaded and used the scam page.

Darkweb Screenshot

When searching by brand, we found that just over a quarter (26%) of all phishing products for sale in underground markets targeted Amazon, as in the example below whereby a bogus Amazon login page is advertised for sale at the price of $50.

Dark Web Screenshot

Finally, this example reflects an attempted refunding fraud attack, whereby the victim is sent a notification that they are owed a refund, and must claim it by logging in to their Amazon account. This page is for sale on the underground for $35.

Darkweb Screenshot


As the new Omicron variant threatens to disrupt in-person holiday shopping this December, holiday shoppers are expected to turn once again to their favorite e-commerce sites and do most of their buying online. And, as we know, where the money flows, so do the attackers, with threat actors expected to continue innovating new ways to steal money, credit card information, and ecommerce credentials.

Protecting against phishing attacks is no easy feat, with the vast majority of anti-phishing mechanisms operating by blocking newly-registered domains. Yet, as discussed above, the phishing pages targeting consumers today were likely purchased and registered several months ago in order to avoid detection. Accordingly, as always, consumers must maintain constant vigilance when opening suspicious links from unverified senders, specifically when they are asked to enter personal information.

So, before you shop online, check the domain that you’ve entered, and be wary of scams and other fraudulent schemes. Have a secure and happy holiday season!

You may also like

A close-up, detailed, and vibrant image of a microscopic cell with numerous tentacle-like extensions, depicted in shades of pink and purple against a blurred blue background.

May 15, 2024

Black Basta's Devastating Attack on a US Hospital System: Lessons Learned and Protective Measures

Read more
Screen showing a malware alert

May 09, 2024

New 'Latrodectus' Malware Linked to Notorious 'IcedID' Developer: A Deep Dive into Targets, Potential Impact, and Remediation Steps

Read more
Chris Strand-Thumbnail

May 07, 2024

Enhancing Security Posture with Cyber Risk Intelligence Part 2

Read more