Bad actors are flooding the internet with tens of thousands of phony websites impersonating real businesses in hopes of scamming shoppers and stealing their money and data.

Researchers with NordVPN released a report Wednesday, July 2, noting more than 120,000 such malicious websites impersonating Amazon as the e-commerce giant an extended four-day Amazon Prime Day sales event that kicks off July 8.

Meanwhile, analysts with Silent Push also on July 2 wrote that they had uncovered a massive phishing campaign that involves a fake marketplace and thousands of websites spoofing popular payment and retail brands, including Apple, Harbor Freight Tools, Wayfair, Lane Bryant, and Wrangler Jeans.

They found a private technical fingerprint associated with the marketplace’s infrastructure that contains Chinese words and characters, which “strongly indicate that the developers of this network are from China,” they wrote. “Our team has uncovered thousands of domains spoofing various payment and retail brands in connection to this campaign.”

Shopping Events Open Doors for Scams

NordVPN CTO Marijus Briedis said in a statement that “major shopping events like Prime Day create perfect storms for cybercriminals. Scammers know that shoppers’ excitement and urgency around limited-time deals make them more susceptible to clicking on malicious links or sharing personal information without proper verification.”

Brand-impersonation scams have proven to be lucrative operations for threat groups, which helps explain their increasing numbers in recent years. According to U.S. Federal Trade Commission (FTC), such campaigns ranked among the top fraud complaints coming into its Consumer Sentinel Network in 2023.

There were more than 330,000 reports of business impersonation scams and nearly 160,000 reports of government impersonation schemes that year, which accounted for almost half of all fraud complaints and added up to more than $1.1 billion in losses to victims.

120,000 Fraudulent Amazon Sites

In the case of Amazon, extending the Prime Days sale from two to four days gives scammers an extra two days to target victims, according to NordVPN. In data collected from its Threat Protection Pro anti-malware tool, cybercriminals set up the more than 120,000 malware, phishing, and scam websites impersonating Amazon over the past two months, all of which the vendor blocked.

It correlates with other high-profile Amazon shopping events, the researchers wrote. During the e-tailer’s Big Spring Sale week that spanned late March into early April, the number of malware websites jumped 1,661% from the previous week, while phishing sites grew 1,249%, and scam sites 8,325%.

That said, the Amazon data also shows that the objectives of the scammers are changing, shifting from getting access to customer accounts to tricking shoppers into making unauthorized payments, which rose from 28% in April to 38% now, becoming the most-reported goal.

Chinese Marketplace of Bogus Sites

Silent Push researchers have uncovered several brand-spoofing campaigns in recent months, including two in December 2024 – a threat actor they dubbed “Aggressive Inventory Zombies” and a malvertising campaign abusing Google Search ads. Last month, they wrote about a network of more than 4,000 fraudulent domains in a campaign called “GhoseVendors.”

They were turned on to the Chinese marketplace after seeing a posting on X (formerly Twitter) by a Mexican journalist about threat actors targeting Hot Sale 2025, an annual sales event in the country similar to Black Friday in the United States.

“Our team pivoted from that Mexico-centric campaign into thousands of websites that broadly targeted a more global audience with abundant waves of fake marketplace scams,” they wrote, adding that most of the sites were used for phishing. “The threat actor has also been caught abusing online payment services, including MasterCard, PayPal, and Visa, as well as payment security techniques such as Google Pay, across the campaign’s network of scam websites.”

The scam marketplace targets English- and Spanish-speaking shoppers, with the phishing pages seemingly featuring products that apparently were scraped from other sites and abuse online payment security techniques. In addition, a number of sites use Google Pay, suggesting the bad actors also steal payments without delivering goods to victims.

Real Payments, No Products

They take real payments, using genuine Google Pay purchase widgets, which offer another layer of protection for shoppers through a key feature that uses randomly generated, virtual credit card numbers instead of actual credit card details. Given that, the scammers can’t typically steal credit card data.

“Despite the security of raw credit card information not being shared via this method, a threat actor can often circumvent the protection of virtual card numbers,” the Silent Push researchers wrote. “Even when accepting payments made via this process, a threat actor can still successfully orchestrate its online scam by simply failing to deliver the ordered products after payment.”

There also was a level of sloppiness to some of the fraud websites, including the misspelling of some brand names, impossibly low price listings, and sites for one domain offering pictures from another. For example, a site for a guitar store showing children’s accessories.

Many phishing sites were blocked by their hosts or taken down by defenders once they were discovered, but according to Silent Push researchers, as of June, thousands remained active.

“In the face of these types of scaled-up, persistent threats, traditional methods appear unable to hold back the tide,” they wrote.