There as been a surge in phishing attacks over the holiday shopping season, with phishing kits imitating major brands in the lead up to Black Friday. Research published by email security firm Egress, in partnership with Orpheus Cyber, has lifted the lid on how cybercriminals prepare to take advantage of the retail event, reporting a 397% increase in typo squatting domains explicitly tied to phishing kits.

Amazon was a popular choice for cybercriminals, with a 334.1% increase in phishing kits impersonating the brand ahead of its anticipated Black Friday promotions. Amazon was the top brand for fraudulent webpages linked to phishing kits, with researchers observing almost 4,000 pages imitating the brand – three times as many as those detected for than the popular online auction site eBay and over four times as many as for retail giant Walmart.

Phishing-as-a-service (PhaaS) lowers the financial and technical barriers to entry for cybercrime, with operators using a software-as-a-service model to offer professionalized platforms that allow customers to quickly deploy their own attacks. These “phishing kits” often include lists of email addresses for attackers to target, as well as branded phishing email and website templates designed to impersonate well-known companies.

Experts believe demand for phishing kits will continue to increase in the months leading up to Christmas, with cybercriminals taking advantage of the increased volume of marketing emails sent during the period to mask their own malicious attacks. During this period, cybercriminals will often disguise their malicious attacks as retailer offers, order confirmations or delivery confirmation emails.

In the week before Black Friday, researchers uncovered 200 new phishing kits containing imitation Amazon emails available on dark and clear web forums, with some retailing for as little as $40. One listing offers multiple language support, the ability to obtain credentials for a range of email providers and the option to prompt victims to take and submit pictures of their credit cards. Some kits boast capabilities to avoid detection, with one listing offering automated IP address checks to prevent automated security tools from scanning the link.

Researchers also observed phishing emails offering fake Amazon Black Friday promotions. One example, distributed on Black Friday, tempts recipients with an Amazon coupon that can be redeemed by completing an attached form. Further analysis revealed that the attachment contained XBAgent malware.