Targeted Holiday Phishing Scams Spike with Fake Dolce & Gabbana and Pandora Storefronts and Cryptocurrency Schemes

Key Takeaways

• Malicious domain durge: Researchers identified over 1,700 suspicious and malicious domains registered between September and November 2025.
• Targeted keywords: Campaigns heavily leverage holiday-specific keywords like "blackfriday" and "halloween," combined with retail terms such as "shop" and "store."
• Evolving tactics: Threat actors are using DGAs, fake luxury storefronts, fraudulent app pages, and crypto "seasonal tokens" to perpetrate holiday shopping fraud.

A significant increase in malicious infrastructure being set up ahead of the peak holiday shopping season is highlighted in a new report that documents a concentrated effort by threat actors to target both retailers and consumers with sophisticated phishing campaigns via over 1,700 domains, pointing to a strategic approach to capitalize on heightened consumer activity.

Analysis of Malicious Domain Registrations

The "2025 Retail Holiday Threat Report" by BforeAI's PreCrime Labs provides a detailed breakdown of the threat landscape, noting a significant spike in malicious domain registrations in October. 

Between September 15 and November 10, 2025, researchers identified 1,728 malicious domains, indicating that attackers are preparing their infrastructure well in advance of major sales events like Black Friday, Cyber Monday, and Christmas. 

Phishing domains impersonating various brands include: 

• Dolce & Gabbana: 4
• Pandora: 4
• Sephora: 3
• Kate Spade: 2
• Coach: 1
• Arket: 1
• Zalando: 1
• Amazon: 3
• Flipkart: 17
• Walmart: 1

Among the campaigns of interest are:

• Educational purchases 
• Fake flash sales
• Gifting
• Travel booking
• Gambling-related apps
• Exclusive Festival Deals

“Some threat actors register their infrastructure weeks or even months in advance to build reputation and avoid immediate detection,” Rishika Desai, Threat Researcher and Writer at BforeAI, told TechNadu, highlighting that Black Friday dominated, with more than 500 related domains and a “smaller but notable rise” in New Year–themed registrations.

Phishing TLD and Keyword Distribution

The most prevalent Top-Level Domain (TLD) used was “.com,” accounting for approximately 34.88% of all domains, followed by:

• “.shop” – 16.43%
• “.xyz” – 5.32%
• “.store” – 4.51%
• “.sbs” – 4.34%
• “.lat” – 3.99% 
• “.world” – 3.93% 
• “.site” – 3.82%. 

Specialized TLDs such as “.christmas,” “.blackfriday,” and “.gifts” were also mentioned in the analysis, reinforcing the idea that cybercriminals focus on holiday and gifting themes.

The top 10 shopping-associated keyword distribution includes smaller niche terms like “beauty,” “home,” and “health,” but at the top are:

• “shop” (322, 63.5%) 
• “store” (106, 20.9%) 
• “checkout” (53) – “cart” (3), “online” (50)
• “buy” (4) 

NameSilo was identified as the leading domain registrar for this malicious activity. A key finding is the use of Domain Generation Algorithm (DGA)-style bulk domain registrations, with 7.9% of analyzed domains showing characteristics of automated malicious infrastructure – a tactic that enables attackers to rapidly create and deploy a large volume of phishing sites.

The highest numbers of DGAs were seen in these unique domains: 

• checkoutyournewyeargift: 15
• holidaygiftcrazeoftheyearend: 15
• finalmonthsofholidaygiftsdirect: 15
• grabyourhalloween: 14
• endofyears: 28
• 2025sale: 41
• 2025clearance: 9

Key Trends in 2025 Holiday Phishing Scams

This year's 2025 holiday phishing scams demonstrate a broader global targeting pattern, with a notable increase in campaigns focused on Halloween and Black Friday. Attackers are using diverse lures, including:

• Fake luxury brand storefronts for Dolce & Gabbana and Pandora, 
• Fraudulent travel promotions, 
• Cryptocurrency "seasonal token" pump-and-dump schemes. 

The report also highlights the abuse of deal-sharing channels on platforms like Telegram, where threat actors redirect users to phishing sites disguised as legitimate e-commerce promotions. 

For detections, Desai recommends continuous threat monitoring to identify a baseline of generic retail and deal-related keywords that surface throughout the year. 

“Additionally, when tracking keywords tied to sales cycles or holidays, we can observe a frequently occurring pattern. For instance, around major shopping events like Black Friday, we consistently see a surge through a set of malicious indicators appearing frequently,” Desai added. “Similarly, during significant sports events or cultural moments, entirely different sets of keywords emerge to tap the buying impulses of consumers.”

These multifaceted campaigns underscore the evolving nature of retail cybersecurity threats and the need for heightened vigilance from both organizations and consumers.

Recently, a new analysis from the Zimperium Mobile Shopping Report identified that mobile phishing (mishing) campaigns increased by up to four times during the holiday shopping season, often impersonating retail and shipping brands.