Amazon Prime Day 2026 — 6,843 fake domains and the end of manual phishing detection.

Two numbers from the Check Point report do most of the work in describing what changed this year.

• 6,843 fake Amazon-themed domains Registered in the lead-up window — roughly one new lookalike every 88 seconds, sustained for days. Manual takedown teams cannot operate at that cadence.
• 1 in 13 flagged malicious or suspicious Hundreds of live phishing properties pointing at the same audience at the same time, before the sale even opens.
• 46-domain amazoncredito cluster One threat actor, one keyword theme, dozens of customer-service-flavored subdomains, fake payment portals and valid SSL across the board.
• Implication At this volume, eyeball-based detection is dead. Defense has to be automated and infrastructure-shaped, not inbox-shaped.

Three engineering shifts explain why "just look carefully" stopped working — phishing pages now look authoritative on purpose.

• Automated domain generation Operators run dictionaries against Amazon's service surface — amazon-billing, amzn-support, prime-rewards, amazoncredito-pago — and bulk-register the long tail across cheap TLDs (.shop, .online, .top) in single API calls.
• Close-match customer service framing Branding mimics transactional emails: refund, dispute, verify, claim. Layout is lifted pixel-for-pixel. Footer copyright scrapes verbatim from amazon.com.
• Valid SSL by default Every domain in the cluster ships with a free DV certificate — Let's Encrypt, ZeroSSL or CDN-issued. The padlock is now a tool of the attacker, not a defense against them.
• The defeat surface Spelling looks right. Layout looks right. URL is plausible. Browser shows a padlock. Every consumer-grade heuristic returns green. The fraud lives one layer below — registration metadata, hosting fingerprint, mail server config.

Real retailers do not register their primary brand domains the week of a sale. Phishing operators do — that is the entire business model. Domainscan reads the registration timeline directly.

• Registration date vs campaign window A domain whose WHOIS creation_date sits inside the last seven days, on a brand-keyword name, is a near-certain red flag.
• Nameserver and A-record churn Legitimate brands rarely flip DNS configuration daily. Phishing infrastructure does — pointing to new IPs as takedowns hit the old ones.
• Registrar abuse correlation A handful of bulk registrars are statistically over-represented in abuse data. Brand-keyword name plus high-abuse registrar plus week-old creation date is a hard signal.

The 6,843-domain dataset was not produced by 6,843 unrelated actors. It was produced by a much smaller number of operators each running large fleets. Clustering finds those fleets.

• Shared IP addresses Hundreds of brand-lookalike domains resolving to one origin server is not a coincidence — it is one operator running a phishing kit at scale.
• Naming pattern fingerprints Suffix and prefix templates (-pago, -soporte, -credito) repeat across registrations. A single template is a cluster signature.
• Registrar plus nameserver pairs Operators reuse infrastructure. Identical registrar plus identical NS records across dozens of lookalikes identifies a single actor instantly.
• Disruption value Catching one domain is interesting. Catching the other 45 in the amazoncredito network, mapped from one seed, is what actually shuts the campaign down.

Phishing rarely lives in isolation. The fake site needs somewhere to receive harvested credentials, forward password resets and respond to verification emails. That is where the MX record gives the operator away.

• Missing or fresh MX records A legitimate retailer's mail infrastructure is years old. A lookalike with no MX, or an MX configured to a free relay set up last week, is a credential-harvesting front, not a business.
• MX hostname reputation Some mail relays appear disproportionately in phishing forensics. Cross-referencing the MX hostname against historical abuse catches harvesters that pass every other surface check.
• Hosting IP history An IP that hosted three other Amazon-themed domains last month is not neutral infrastructure. Reverse-IP and passive-DNS turn one suspicious domain into a map of related operations.

Infrastructure signals catch infrastructure attackers. The last mile is still visual — the cloned logo, the spoofed checkout form, the hidden POST endpoint shipping the card number to an unverified server. Prism AI inspects that surface in milliseconds and correlates with the infrastructure verdict.

• Component-level deconstruction Parses the rendered page into its constituents — images, forms, scripts, network destinations — and evaluates each against a model of how the real brand renders.
• Visual anomaly detection Color spacing, font substitution, layout drift and image re-encoding artifacts — signatures a URL-allowlist firewall cannot see.
• Form-destination inspection Every form's actual action URL is followed and verified. A login form on an Amazon-looking page posting to an unrelated third-party endpoint is the unambiguous fingerprint of a credential harvester.

Original research from Check Point Research, reported by The Next Web: thenextweb.com/news/amazon-prime-day-2026-scam-domains-check-point-phishing