Brace Yourselves For Holiday Scams: Over 100x increase in Fake Amazon Sites

Here at DNSFilter, as we prepare for the holidays, we’ve noted that malicious sites using Amazon’s name have skyrocketed since early November. The average DNS query to malicious Amazon sites increased more than 111x in November compared to the previous months, just in time for the holiday season. This includes scams mimicking freight and shipping services that Amazon provides, in addition to fake gift card giveaways, and login pages.

Holiday Scam Example
Example of a fake Amazon site using social engineering to steal users’ credentials

DHL and FedEx are also victims of typosquatting and domain spoofing. The number of malicious FedEx domains encountered in November increased over 14% compared to the previous period, and nearly 13% more DHL malicious domains were identified on our network. We’ve found more than thirty sites using the same DHL ransomware kit, disguised as a shipping updates site.

DHL Fake SSO Login
Site leveraging DHL's name with fake single sign on (SSO) login

"Online shopping continues to grow and consumer trust in eRetailers is high. This makes holiday and shipping related sites especially nefarious as vectors for malware, ransomware, and phishing. In addition to dozens of festive scam sites identified by our domain intelligence, we're also seeing new ransomware kits that leverage concerns about shipping slowdowns and supply chain issues over the holidays. It is critical for businesses to have DNS protection in place to protect users who may be doing holiday browsing, or package tracking, on a company computer,” said Jen Ayers, DNSFilter Chief Operating Officer and cybersecurity industry veteran.

Over the last few years, we’ve noticed a sharp increase in the percent of shopping traffic on our network. Before Thanksgiving and Black Friday in 2019, shopping represented 10.69% of our network traffic. In 2020 during the same time period, it made up 13.81% of our DNS queries, possibly due to the growth in online shopping due to COVID-19. In 2021, access to shopping sites represents 19.46% of our network.

In the month of November, access to shopping on our network has increased ~9.81%, while access to shopping sites that are also categorized as phishing has increased 6x.

Sample holiday phishing site
Phishing site disguised as a festive holiday retailer

Starting in early November, we also noticed an increase in DNS queries to sites that include the terms “Christmas” and “BlackFriday,” with phishing scams to match. Scams taking advantage of the keyword “BlackFriday” ranged from niche, such as a site “selling” Doc Martens, to broader sites capitalizing on "Black Friday Deals".

Fake Black Friday Shoe Site
he URL of this site includes "drdocmartensblackfriday"
Black Friday Holiday Scam Site Example
A more generic Black Friday scam

Scams found leveraging “Christmas” claimed to sell Christmas sweaters, ornaments, and one even mimicked a German bank.

Covid+Holiday Scam Site
Scam site leveraging both COVID-19 and Christmas trends to scam users
Christmas Sweater Scam Site
Scam site leveraging searches for “christmas sweaters”
Fake Login
This fake bank login site uses "Christmas" in the domain name

DNSFilter users are protected by these scams and more, such as phishing schemes posing as fake TSA pre-check. All internet users should be aware of what these phishing sites look like in order to avoid falling for these costly scams. Here are a few things you can do while also implementing DNS security:

  • Keep an eye out for questionable domain names. One fake Amazon site was freeamazongift[dot]cf, which is highly suspicious since it promises something that is likely too good to be true
  • Be wary of things that are different. Does it look like the login page you're used to? Try bringing up the usual login page in a new window to verify you've been linked to a legitimate site
  • Question new companies. Have you heard of this brand before? Can you find social accounts or user reviews for it? Christmas and Black Friday scams rely on eager buyers who aren't validating the sites they're purchasing from—do your homework!

For the best protection this holiday season, set up a free trial of DNSFilter.

Search
  • There are no suggestions because the search field is empty.
Latest posts
Tycoon 2FA Infrastructure Expansion: A DNS Perspective, and Release of 65 Root Domain IOCs Tycoon 2FA Infrastructure Expansion: A DNS Perspective, and Release of 65 Root Domain IOCs

Our analysis of Tycoon 2FA infrastructure has revealed significant operational changes, including the platform's coordinated expansion surge in Spanish (.es) domains starting April 7, 2025, and evidence suggesting highly targeted subdomain usage patterns. This blog shares our findings from analyzing 11,343 unique FQDNs (fully qualified domain names) and provides 65 root domain indicators of compromise (IOCs) to help network defenders implement mo...

The Best Content Filter Software Checklist: A Buyer's Guide to DNS-Level Protection The Best Content Filter Software Checklist: A Buyer's Guide to DNS-Level Protection

Staying Ahead with Smarter Web Filtering

Across every industry and network environment, content filtering isn’t just a matter of productivity, it’s a front line of defense. From malware and phishing to compliance risks and productivity drains, the threats are real, and the stakes are high.

Smarter DNS Policies: What You Should Be Blocking (But Probably Aren’t) Smarter DNS Policies: What You Should Be Blocking (But Probably Aren’t)

DNS filtering is a foundational layer of defense and helps to fortify the strongest security stacks. Most organizations use DNSFilter to block the obvious: malware, phishing, and adult content. That’s a great start, but many are missing out on the broader potential of DNS policies.

Explore More Content

Ready to brush up on something new? We've got even more for you to discover.