Executive Summary: 2025 Retail Holiday Threat Report

Date: Nnovember 2025
Author: PreCrime Labs, BforeAI

The holiday season brings excitement, not only in the form of festive celebrations, but also from the rush of shopping and irresistible discounts. However, this enthusiastic surge in activity is often paired with a lack of caution, creating the perfect opportunity for cybercriminals to set-up phishing campaigns that target consumers eagerly hunting for deals. The holiday period stretching from as early as September through to January every year is a breeding ground for scams and fraud targeting both retailers and their customers.

From Diwali and Hanukkah to Christmas, New Year, and major sale events like Black Friday and Cyber Monday, phishing links and fraudulent websites flood inboxes, social media, search results, and messaging apps. Threat actors leverage on spending potential around holidays, urgency, steep discounts, and trust in seasonal promotions to steal payment information and personal data.

This year’s holiday threat round-up documents targeted luxury brand storefronts to festival gift scams, crypto “seasonal tokens,” and travel-deal traps. We also observed Domain Generation Algorithm (DGA)-style bulk domain registrations, spoofed app pages, alongside paid placement in Google Ads, Telegram coupon channels, and social media “deal groups” impersonating as authentic discount communities.

PreCrime Labs, the research division of BforeAI, observed holiday-themed registrations from 15 September to 10 November 2025, and within this almost 2 month window, the team identified 1,728 domains suspicious and malicious in nature. While this volume is lower than the same period last year, it is important to note that December remains the peak month for malicious domain registrations tied to holiday shopping events.

To provide preemptive awareness, we intentionally focused this year’s study on pre-December domain activity, capturing the campaigns that set their infrastructure well ahead of major sales periods. Based on historical patterns, a significant surge in malicious registrations is expected throughout December.

Compared to the 2024 holiday season, attacker behavior in 2025 reflects an earlier start and concentrated targeting, particularly around Halloween (+182%) and Black Friday (+96%). Meanwhile, Christmas (-94.8%) and New Years (+263.2%) are expected to rise significantly in December, which is relevant to the prime window for retail-themed phishing domain launches. A notable trend this year is the surge in generic “holiday sale” and regional festival abuse, including Diwali and Indian retail events, indicating a broader global targeting pattern and opportunistic pivoting toward multiple regional markets.

Threat Landscape Overview

There has been a significant increase in domain registrations in late 2025, particularly in October and November. October 2025 saw 854 domain creations, making it the highest month for new registrations. November 2025 also showed high activity with 221 new domains, followed by September 2025 with 193 new domains.

NameSilo is the leading domain registrar, followed by Hostinger and GoDaddy. NameSilo accounts for 334 registrations. Hostinger and GoDaddy are also significant players with 130 and 122 registrations respectively.

The United States leads with 114 registrations. Iceland follows with 92 registrations, suggesting a notable number of domains are registered from this country. This is followed by the UK (17) and China (16).

Top Level Domain (TLD) Distribution:

‘.com’ is the most prevalent TLD, accounting for approximately 34.88% of all domains. ‘.shop’ is the second most common, representing about 16.43% of the domains. ‘.xyz’ and ‘.store’ follow, with 5.32% and 4.51% respectively. Other notable TLDs include ‘.sbs’ (4.34%), ‘.lat’ (3.99%), ‘.world’ (3.93%), and ‘.site’ (3.82%). Specialized TLDs like ‘.christmas’, ‘.blackfriday’, and ‘.gifts’ also appear, suggesting a focus on holiday and gifting themes within the dataset.

Distribution of Keywords, Holidays, and Commonly Shopping Associated Keywords

Top 10 Keyword Distribution:

Holiday-specific keywords are dominated by “blackfriday”, “halloween”, and “gift”, highlighting the seasonal targeting used for these phishing campaigns. Commonly shopping-associated keywords include “shop”, “store”, and “checkout”, further emphasizing the retail focus of these domains.

Top 10 Shopping Associated Keyword Distribution:

Our dataset shows that terms such as “shop” (322, 63.5%) and “store” (106, 20.9%) are very high and cover the bulk of the domains, reflecting the phishing campaign’s focus on online stores and outlet-style discount shops. Keywords associated with transactions include “checkout” (53, “cart” (3), “online” 50), and “buy” (4), and appear frequently, indicating attempts to capture payment credentials and personal data at the point of purchase. Smaller niche terms like “beauty,” “home,” and “health” also emerge, aligning with gifting and seasonal wellness trends.

Unique Domain Patterns, Malicious Indicators, and DGA Abuse

Post-tariff “factory outlet” trend and geopolitical events:

Compared to last year, more sets of domains combine multiple keywords and sometimes include numbers or unusual character combinations, indicating they were created consecutively. About 7.9% of the domains analyzed were identified as domain-generation-algorithm based, a significant signal of automated malicious infrastructure. The unique domains mentioned below showed the highest number of domain generated algorithms (DGA).

• ‘checkoutyournewyeargift’: 15
• ‘holidaygiftcrazeoftheyearend’: 15
• ‘finalmonthsofholidaygiftsdirect’: 15
• ‘grabyourhalloween’: 14
• ‘endofyears’: 28
• ‘2025sale’: 41
• ‘2025clearance’: 9

An educational program framed as an affiliate program to teach prospective entrepreneurs how to start a new business used Black Friday as the perfect time to “start your journey now” (Figure 1), indicating an attempt to create a sense of urgency, a classic psychological persuasion tactic. Domains like these encourage clicking and sign-ups, potentially leading to personal data capture, financial upsells, or phishing funnels.

The site below (Figure 2) leverages Black Friday hype to lure users into a “Spin to Win” promotion under the guise of a car dealership campaign (brand targeted, Dominion Motors). The domain name strongly resembles gamified phishing and reward-fraud patterns commonly seen during holiday shopping seasons.

Early indicators of travel booking activity

This domain (Figure 3) poses as a Halloween festival travel portal, encouraging users to search flights for a themed “Zombie Festival.” Pages like this one are commonly used to harvest traveler data, redirect users to fraudulent booking sites, or deploy payment-stealing templates. The seasonal theme, travel urgency, upcoming holidays, and playful branding to trigger impulse behavior.

Notably, there has been a subtle rise in travel-themed promotional domains around the same period, suggesting that threat actors might continue to engage in the hype of seasonal travel and last-minute holiday planning. This coincides with retail scam trends, where the holiday season facilitates peak booking and shopping windows also leads to travel lures.

This domain, “giftnewsyear[.]com” (Figure 4), presents itself as a generic “Sign In” portal but is essentially harvesting credentials under the guise of New Year gifting or rewards, a common seasonal phishing tactic. The page offers multiple login methods (including “Login with Facebook” and “Login with Twitter”), increasing the likelihood of stealing social media credentials during holiday giveaway periods.

The domain “bigbonanza[.]christmas” (Figure 5), attempts to exploit holiday excitement and seasonal keyword trust (through the obvious “.christmas” TLD) to get users to click on a gambling-related app listing impersonating as a Google Play page. This example highlights how holiday domain themes aren’t only used for phishing and fake shopping, they also serve as affiliate traps and gambling lures.

The domain, “blackfridaylux[.]com” (Figure 6), displays a poorly-made luxury handbag retail site advertising “50% OFF” designer bag collections during Black Friday. The site leverages high-end brand imagery (e.g., luxury totes and monogram bags) to lure users into believing they are purchasing premium goods at steep holiday discounts. This also coincides with how luxury shoppers are targeted during festival seasons and different types of phishing threats targeting different luxury brands.

Different luxury brand domains observed as part of this phishing set are:

• Dolce & Gabbana: 4
• Sephora: 3
• Pandora: 4
• Kate Spade: 2
• Coach: 1
• Arket: 1
• Zalando: 1

Additionally, the research team observed a fake Amazon storefront designed to capitalize on Black Friday shopping traffic (Figure 7). The page layout, product listings, and pricing models are crafted to resemble a real Amazon site, encouraging shoppers to make purchases appear discounted, ultimately stealing payment details, personal data, or redirecting them to malicious checkout flows.

The domain also shows affordable pricing signals that look “real”, featuring realistic deals, not overly cheap. Users may unknowingly enter card details, login credentials, or personal data, leading to financial fraud and account compromise, particularly leading to Amazon account hijacking.

Other e-commerce platforms observed in the data set:

• Amazon: 3
• Flipkart: 17
• Walmart: 1

“New Year Bonus” crypto scams

This website promotes a so-called “Halloween CZN (HWN) token”, exploiting holiday hype and engaging visuals to prompt a themed crypto purchase. Seasonal tokens like this are commonly associated with pump-and-dump schemes, rug pulls, and fake community hype, exploiting users’ festive excitement and FOMO (fear of missing out).

The highlighted domain (Figure 8) leads to a “Buy Now” call-to-action to quickly drive impulsive investment decisions. These tactics are typical during holiday seasons, as emotional persuasion increases financial scams.

Crypto related domains:

• Combination: Halloween + Solana: 4
• Combination: Blackfriday + Solana: 1
• Combination: Halloween + Coin: 4
• Combination: Blackfriday + Bitcoin: 1

The domain “katespadeblackfridaysale[.]in[.]net” (Figure 9) impersonates the identity of luxury brand Kate Spade by using the name in the URL along with Black Friday. However, instead of luxury retail content, it redirects users to a Vietnamese online gambling platform (S666). This redirection pattern indicates a dual-purpose scam tactic, initially capturing users searching for designer deals, then funneling them into a betting environment to propel financial exploitation.

The page uses images related to casinos, reward messages, and bonus prompts, in an attempt to get the victim’s funds. This is a common monetization play where holiday keywords lead to gambling redirects, often leading to high-risk financial transactions without verifications.

Festive Gifting Abuse: Parked Domains Turned Paid Ads

During festive gifting periods, especially Diwali, Christmas, and New Year, corporate gifting cycles run frequently and threat actors actively exploit them to attract corporate buyers and high-value consumers.

We observed a variety of such instances, including one “diwaligifts[.]co” (Figure 10),which was initially parked and appearing harmless, was once promoted via Google Ads Library to appear legitimate and dominate top results in search engines. These paid ad placements get more clicks and trust from surfers searching for something similar, particularly procurement teams and corporate buyers. They might be led towards fraudulent shops offering “factory outlet,” “Diwali corporate gift,” or “bulk order discount” schemes.

By monetizing domains through advertising instead of direct phishing, attackers increase click-through rates, build credibility, and then pivot these domains into scam stores, malware downloads, or payment frauds, later parking them once the malicious campaign has concluded. These campaigns blend hybrid strategies such as SEO poisoning, ad fraud, and seasonal social engineering, significantly boosting visibility during peak gifting months.

Figure 10 Parked domains (likely active during advertising period) shows momentary activity during holidays and use of ads to reach a diverse range of internet surfers. (Based on the records, the last ad regarding diwali gifting was shown on Oct 16, 2025.)

Sale on Telegram Channels:

Alongside domain-based phishing and fraudulent ads, we observed a surge of activities in discount-and-loot-deal channels on Telegram and other messaging platforms promoting aggressive sales claims (Figure 12). These channels typically present themselves as deal aggregators surfacing the “best offers” from leading e-commerce platforms like Amazon, Flipkart, Myntra, and AJIO, despite having no verified affiliation with these brands.

During peak festival and holiday periods, the subscriber growth rate and posting frequency increases dramatically, driven by consumer hype, FOMO, and urgency-based marketing language like “loot deals”, “last minute”, or “flash offer” (Figure 13).

While not all deal-sharing channels are inherently harmful, threat actors increasingly exploit this pattern to:

1. Redirect users to phishing websites mimicking e-commerce checkouts
2. Push affiliate scam links disguised as official brand promotions
3. Drive users to fraudulent apps or fake coupon extensions
4. Spread reselling and refund fraud schemes
5. Harvest personal information under the guise of “offer activation”

Figure 13 Huge subscriber list on “loot” channels can lead to exponential spread of malicious campaigns, especially around holiday retail sales and offers.

These channels often operate in grey or unethical spaces, making claims without transparency, impersonating brands, or using policy-evading link shorteners and redirections to obscure the destination. Holiday periods turn these channels into high-risk distribution hubs, quickly directing thousands of users toward malicious links. For consumers seeking to save money, the trust barrier is low, making it easier to spread campaigns.

Such apps can also:

• Encourage exploiting loopholes in payment systems
• Promote cashback manipulation
• Funnel users to referral fraud schemes
• Sometimes link to phishing or malware APKs
• Push users to install modified payment apps or bots

• Pre-register seasonal keyword-based domains that include your brand + “sale,” “Diwali,” “BlackFriday,” etc., to prevent misuse.
• Monitor app stores and ad libraries for impersonation campaigns or malicious coupon/extension apps.
• Leverage and implement continuous monitoring of threat intelligence platforms capable of detecting and classifying:
  
  • domains patterns, keyword spikes, and DGA clusters tied to seasonal shopping
  • impersonating domains within hours of registration
  • seasonal phishing activity on messaging platforms like Telegram and social media
  • prioritize preemptive takedown workflows during festival windows when scam volumes spike sharply
• Release seasonal advisories prior to Diwali, Black Friday, Christmas, New Year, and other high-volume shopping periods by frequently advertising and announcing legitimate channels to purchase and claim discounts to keep the fake platforms away.

• Only shop through official retail websites, apps, or known marketplaces. Avoid clicking on links in messages and emails that offer a shortened and suspicious redirection link.
• For travel offers, such as those mimicking festival travel deals (similar to TravelHalloweenPromo-style pages), verify the booking platform instead of relying on event-specific promotional sites.
• Avoid direct UPI transfers, wallet requests, or QR codes sent through chats or unofficial campaigns.
• Never enter payment or login details on unverified sites without confirming legitimacy.
• Always search for the brand directly instead of clicking ads during peak shopping times.

IOC list (domains, IPs, APK hashes)

Explore our latest PreCrime™ Labs report:

Suspicious Domain Activity in Lead up to 2026 FIFA World Cup Tournament

Phishing Campaign Imitating U.S. Department of Education G5

Ready to see BforeAI in action?
Get a personalized demo

Talk to one of our experts and deploy in minutes.
No implementation needed. Works right out of the box!