Confiant • 2 minute read
Blackhole Friday: Scams That Never End
Holiday Cheer Meets High-Risk Ads
‘Tis the season for fourth quarter revenue gain and year-end recoup. Every brand is fighting for performance, because this is the season when AdTech makes its money. In the weeks leading up to and around Black Friday and Cyber Monday, a significant portion of annual revenue gets generated. Ad Operations teams are moving through the pressure with surging campaign volumes and high capacity needs. These high-CPM campaigns from recognizable brands get careful attention, but the sheer volume creates gaps. Those gaps show up in campaign content like video ads, which take longer to review and have historically seemed safer, and often come with a degree of implicit trust.
Threat actors know exactly how this works and this year, our security team tracked a malvertising cluster that shows just how sophisticated these operations have become.
Short-Form Video, Big Brand Names, and Fake Storefronts
The cluster uses TikTok-style video ads targeting high-demand gifting items like laptops, luxury apparel, and home appliances. Christmas trees, holiday lights, and festive decor are not excluded from this scam trend. Coinciding with legitimate holiday sales events, the video ads feature trademarks from major brands, in particular Amazon, Costco, Walmart, and Home Depot.
Cloaking keeps them hidden from security scanners while targeted users land on fake storefronts. The sites are passable clones, far from perfect, but good enough to fool someone scrolling on their phone looking for a deal.
They're Not Shutting Down After the Holidays
Unlike typical holiday campaigns that taper off into the New Year, “scam sales” are happening long after the holiday rush. Our security team conducted a full technical analysis and it changed how we understood this operation.
When our team analyzed the checkout pages, they found code for every major retail event on the calendar from Thanksgiving to Valentine’s Day. Year-round scam operations.
This isn't seasonal infrastructure that gets deployed for Q4 and shut down; it's designed to pivot instantly. Run a Halloween scam in October, switch to Black Friday in November, Christmas in December, Valentine's Day in February. The operation doesn't stop, but rather adapts to the calendar the same way legitimate retailers do.
Industrial-Scale Fraud as a Business Model
Threat actors have managed to successfully build retail-scale operations. Even adopting the same principles as the brands they’re impersonating: scalability, global reach, operational efficiency. The only difference: they’re using those principles to defraud consumers year-round.
This isn't seasonal opportunism anymore. These are persistent criminal business models designed to systematically degrade demand quality during the windows when Ad Tech is most vulnerable and least able to respond.
Securing the ad economy means understanding the business models driving these threats, not just blocking individual campaigns when they surface.
Technical Deep Dive
Our security team's complete analysis includes infrastructure diagrams, RDGA mechanics, asset decoupling architecture, cloaking techniques, and indicators of compromise.
