Phantom Stores: Retail Impersonation Spreads Ahead of Black Friday Powered by Video Ads and Modular…

Phantom Stores: Retail Impersonation Spreads Ahead of Black Friday Powered by Video Ads and Modular ‘Holiday Skins’ KitIn the frenzied weeks leading up to Black Friday and Cyber Monday, Ad Tech’s busiest season, a new cluster of phantom storefronts has surged into view. While trademark abuse and counterfeit retail are cyclical seasonal holiday threats, this year brings a heavy pivot to short-form, “TikTok-style” video ads to drive traffic combined with resilient infrastructure.Timing the Abuse of the Ad EcosystemThis cluster is capitalizing on the current ‘search and discovery’ phase of the shopping cycle. It is aggressively targeting high-demand gifting items like laptops, luxury apparel, and home appliances, alongside seasonal staples like Christmas trees, lights and holiday chocolate. It is timed specifically to coincide with legitimate ‘Early Black Friday’ and holiday sales events, and notably going with video ads rather than static ads. Trademarks of dozens of major brands are abused, in particular giants Amazon, Costco, Walmart and Home Depot.Google Trends Data- Black Friday Deals October 1 — November 19 2025From a revenue perspective, Q4 is critical in Ad Tech. Ad Tech companies generate a significant portion of their annual profits during this window, while advertisers aggressively deploy their remaining budgets.Consequently, Ad Operations teams operate at maximum capacity, managing a significant increase in campaigns for Black Friday and Cyber Monday events. They face pressure to approve and launch campaigns rapidly. Ad Operations teams treat “high-CPM” brands like the ones we saw abused with care during Q4 because of their impact on revenue and driving spend. In this high-velocity environment, mimicking high-CPM brands can be quite effective. Additionally, video ads are time-consuming to review and historically perceived as safe, often giving them a degree of implicit trust from reviewers.Attackers try to exploit this operational strain, attempting to slip a steady stream of malicious campaigns through amidst the flood of legitimate campaigns. They also rely on cloaking to ensure they remain undetected by security researchers while actively targeting consumers.CloakingThe cloaking used by this cluster is relatively straightforward: users on desktop or specific user agents are served benign, policy-compliant “white pages” that resemble generic e-commerce sites with no major brands or logos in sight.Meanwhile, targeted users are taken to the fake/ phantom storefronts. We detected clones of several major retailers like Amazon, Costco, Walmart, Wayfair and Home Depot, showcasing the year’s trending inventory. Copying sites is trivial and attackers rip assets directly from the legitimate websites. The resulting fake sites are mid-tier clones with minimal functionality but visually passable enough to deceive a user scrolling on a mobile device.The video ad creatives themselves featured a wide variety of high-demand goods. They showcased ‘hype’ products like Uggs, On Cloud running shoes, MacBooks, iPhones, Arc’teryx, and L.L.Bean, alongside seasonal staples such as Christmas trees, holiday lights, and festive decor.To keep the scam resilient against inevitable blocks and takedowns, the attackers rely on a multi-staged backend and delivery strategy.Infrastructure RelianceRegistered Domain Generation Algorithms (RDGA) UseTo sustain volumes and account for takedowns, the cluster uses Registered Domain Generation Algorithms or RDGAs to programmatically generate and register a steady stream of disposable domains, keeping ahead of blocklists while maintaining a consistent flood of traffic.The RDGAs used by this cluster are pretty good, the domains we detected are well-designed: short .com domains consisting of “pronounceable” pseudo-words. This helps them blend in with legitimate brands that utilize similar short naming conventions (e.g., Google, Roblox). Many contain fragments of real words, for example fctural[.]com mimics ‘factual’, atlanh[.]com ‘atlanta’, fgency[.]com ‘agency’, vsibla[.]com ‘visible’, rnicle[.]com ‘chronicle’). This results in the domains having low entropy. If a security analyst is looking at logs, they might mistake a domain like fgency[.]com for a legitimate, albeit niche, website. In contrast, a random, high-entropy domain like lqkwrj[.]com stands out as immediately suspicious.Asset DecouplingTo harden the infrastructure, attackers create a separation between the disposable RDGA domains and the content hosting. This architecture effectively establishes an “Asset Mothership” where the heavy resources (images, fonts, scripts) live, with multiple RDGA domains pointing to it.When the RDGA domain is inevitably blocked, the attackers simply discard it and rotate to a fresh domain, repointing the HTML to the existing asset repository in the mothership. This ensures rapid recovery without the need to migrate heavy resources. They also leverage dns-prefetch and preconnect to minimize latency, maintaining the illusion of the high-performance infrastructure expected from major retailers like Amazon.Holiday SkinsAnalyzing the Checkout and Payment pages revealed some interesting, specific class selectors for all the major holidays and retail events.These selectors indicate that the campaign is designed for year-round operation, capable of being “re-skinned” instantly by changing a parent class on the <body> tag. This Holiday Skins capability allows the attacker to run a Halloween scam in October, a Black Friday scam in November, and a Christmas scam in December pretty easily- creating a continuous, year-round operation..head-notice.thanksgiving.head-notice.blackFriday.head-notice.cyberMonday.head-notice.christmas.head-notice.newYear.head-notice.valentinesDayConclusionUltimately, this cluster is a prime example of the agility and TTPs used by modern Malvertisers. It is a convergence of high-engagement video ads, resilient infrastructure, and a modular backend capable of instant ‘re-skinning’ for any major holiday.By layering these TTPs, the threat actors have built a ‘Dark Q4’ campaign that is not only resilient to mitigation but designed for continuous, year-round operation. They have effectively created a strategy inspired by the very brands they abuse — prioritizing scalability, global reach, and operational efficiency to defraud consumers at an industrial scale.IOC dumphttps://gist.github.com/roshan-confiant/923c7aa5b2ad162e85169f89076920d0Phantom Stores: Retail Impersonation Spreads Ahead of Black Friday Powered by Video Ads and Modular… was originally published in Confiant on Medium, where people are continuing the conversation by highlighting and responding to this story.Confiant – MediumRead More