This Year’s Black Friday Scam Against Best Buy, or Was It Amazon?

Phishing Scams Aren’t Always Sophisticated, Especially When Attackers Know Your Customers Aren’t Paying Attention

We’ve said it before, and we’ll say it again. Excited customers looking for a bargain + realistic looking fake websites = a recipe for disaster. 

As we found in the past with shopping holidays such as Prime Day, hackers will take advantage of any surge in online traffic to steal sensitive credentials and data from unsuspecting customers. It should come as no surprise then, that there was a surge of this kind of attack on the biggest online shopping weekend of the year, Black Friday. However, this time, we found something a little unusual…

A Deep Dive into Best Buy this Black Friday

Let’s look at just one case study, the popular retailer Best Buy. Segasec research found that suspicious URLs associated with the domain peaked on the 28th of November, the day prior to Black Friday, ready for eager customers experiencing serious FOMO to drop their sense of caution. 181 potential attacks were monitored on this day, all of which may have been phishing scams, waiting for click-happy visitors looking to be wowed by what would seem like the best deals of the year. But what these offers would really be, is simply too good to be true. 

A Peak in Suspicious URLs for Best Buy domains - a day before Black Friday 


Sophisticated? Not always. Sometimes, phishing scams don’t need to be

When we think about these kinds of scams, we often focus on the really believable fakes, the ones that accurately scrape content such as a retailer’s branding, logo or color scheme to create an experience that mimics the original. We might only consider an attack to be a real threat when it truly mirrors the tone of the legitimate website it’s impersonating. These scams could use similar domain names and branding to achieve this, or address the customer through the channels they are used to be corresponding through.

However, the truth is that all the bells and whistles are not necessary to scam the average consumer, especially when they’re in a psychological frenzy to get their hands on a limited time deal. And that’s exactly what we saw this Black Friday. Check out this phishing website below, found at http://www[.]bestbuy-az[.]com/. The website is not only nothing like the original Best Buy retailer, but it appears to mimic an Amazon listings page, the only connection to the former being a suspect tagline with the words “Best to Buy”! 

  • The attackers might not have spent time on complex social engineering techniques, but if users buy Amazon products through this proxy, or enter their financial details or personal credentials to purchase any of the other ‘offers’ that the website is selling, the scam will be just as successful as it would have been through a more realistic fake. As Black Friday websites often appear for a limited time, similar to the idea of pop-up shops on a local high street, it’s easier for visitors to forgive the back-to-basics feel of the whole experience, and zero in on what they consider to be a fantastic offer that they don’t want to miss out on. As we’ve shown before, the padlock symbol might encourage visitors to consider this website as safe, despite that sign simply alerting to encrypted data.

Who will take the blame? Best Buy or Amazon?

In this case, if credentials are successfully stolen through this phishing scam, potential retailers caught in the crossfire could be both Amazon and Best Buy, because of the content used on the site, as well as the domain name.

The only way for retailers to stay safe from this kind of attack is to deploy technology that monitors both fronts, suspicious domain-related threats, as well as content scraping and manipulation. This holistic security approach ensures that if there are attackers taking advantage of your good name, Segasec is the first to know.

Want to see how it works in practice? Let’s schedule a demo.