Cyberthreats targeting the 2025 Holiday Season

Every year, the holiday season brings a predictable spike in online activity. But in 2025, the volume of newly created malicious infrastructure, account compromise activity, and targeted exploitation of e-commerce systems is markedly higher. Attackers began preparing months in advance, leveraging industrialized tools and services that enable them to scale attacks across multiple platforms, geographies, and merchant categories.

For retailers, financial institutions, and any business operating an e-commerce infrastructure, the threat landscape has never been more active or more tightly coupled to consumer behavior. This year’s surge in online shopping, digital payments, and promotional events creates an environment that threat actors are aggressively exploiting.

FortiGuard threat research analyzed data from the past three months to identify the most significant patterns shaping the 2025 holiday threat surface. The findings reveal a clear trend: Attackers are moving faster, automating more, and capitalizing fully on the seasonal surge.

A Rapid Expansion of Malicious Holiday-Themed Infrastructure

One of the clearest indicators of pre-holiday attacker activity is domain registration. FortiGuard identified more than 18,000 holiday-themed domains registered in the past three months, including terms such as “Christmas,” “Black Friday,” and “Flash Sale.” At least 750 of these were confirmed malicious. This indicates many domains are still considered non-malicious, posing a potential risk.

A parallel surge occurred among domains imitating major retail brands. Attackers registered over 19,000 e-commerce-themed domains, of which 2,900 were malicious. Many mimic household names, often with slight variations that are easy to miss when shoppers are moving quickly.

These domains support phishing, fraudulent storefronts, gift card scams, and payment-harvesting schemes. They also contribute to SEO poisoning campaigns that artificially inflate malicious URLs in search results during peak shopping events.

Record Volumes of Stolen Account Data Fuel Credential Abuse

The report also shows a striking increase in the availability and use of stealer logs. Over the last three months, more than 1.57 million login accounts tied to major e-commerce sites, available through stealer logs, were collected across underground markets.

Stealer logs contain browser-stored passwords, cookies, session tokens, autofill data, and system fingerprints. During the holidays, users log in to multiple accounts across devices, making these logs especially valuable.

Criminal marketplaces now index these logs with search filters, reputation scores, and automated delivery systems. This significantly reduces the skill barrier, enabling rapid credential stuffing, account takeover, and unauthorized purchases.

The report also notes active “holiday sales” on card dumps and CVV datasets. Threat actors use Black Friday–style promotions to push stolen financial data at discounted prices, fueling an uptick in fraud.

Critical Vulnerabilities in E-Commerce Platforms

Attackers are actively exploiting vulnerabilities across Adobe/Magento, Oracle E-Business Suite, WooCommerce, Bagisto, and other common e-commerce platforms. Three vulnerabilities stand out:

•CVE-2025-54236 (Adobe/Magento)

Public reporting suggests this vulnerability is being exploited to achieve session takeover and remote code execution through improper input validation. More than 250 Magento stores have shown signs of compromise.

•CVE-2025-61882 (Oracle EBS)

Used by ransomware groups to execute unauthenticated remote code execution, steal ERP data, and disrupt order and inventory systems.

•CVE-2025-47569 (WordPress WooCommerce Ultimate Gift Card plugin)

Poses a significant security risk to WooCommerce-based online stores, as successful exploitation could allow attackers to manipulate or exfiltrate sensitive database information. Threat actors in the darknet are selling access to database data by exploiting this vulnerability.

Across platforms, vulnerabilities in plugins, templates, and API authentication are enabling payment skimming, XSS exploitation, privilege escalation, and unauthorized file uploads.

Magecart-style JavaScript injection remains one of the most persistent and damaging threats, allowing attackers to skim payment data directly from checkout pages.

Best practices

A few practical steps taken early can significantly reduce the risk of fraud, account takeover, or payment-page compromise. The following best practices outline what organizations and consumers can do to stay ahead of the most common threats during the 2025 shopping season.

For organizations:Keep all e-commerce platforms, plugins, themes, and third-party integrations fully updated, and remove anything not being used.

Enforce HTTPS everywhere and secure session cookies, administrative pages, and checkout flows.

Require MFA on administrative and high-risk accounts and enforce strong password policies.

Use bot management, rate limiting, and anomaly detection tools to reduce credential abuse.

Monitor for deceptive or lookalike domains impersonating your brand and act quickly on takedowns.

Scan for unauthorized script changes and deploy controls to detect payment-page tampering or skimmers.

Centralize logging to monitor for suspicious administrative actions, session hijacking, or unusual database access. Ensure that your fraud, security, and customer support teams follow a shared cyber-event escalation path throughout the holiday period.

For end-users

Verify website URLs carefully before entering login or payment information. Use credit cards or trusted payment processors that offer fraud protection.

Enable MFA on shopping, email, and banking accounts. Avoid public Wi-Fi or use a VPN when making purchases or managing financial accounts.

Be cautious with unsolicited messages and unrealistic promotions, particularly those tied to deliveries or discounts. Review your bank and card statements regularly to quickly detect unauthorized charges.