Every year, the holiday season brings a predictable spike in online activity. But in 2025, the volume of newly created malicious infrastructure, account compromise activity, and targeted exploitation of e-commerce systems is markedly higher. Attackers began preparing months in advance, leveraging industrialized tools and services that enable them to scale attacks across multiple platforms, geographies, and merchant categories.

For retailers, financial institutions, and any business operating an e-commerce infrastructure, the threat landscape has never been more active or more tightly coupled to consumer behavior. This year’s surge in online shopping, digital payments, and promotional events creates an environment that threat actors are aggressively exploiting.

FortiGuard threat research analyzed data from the past three months to identify the most significant patterns shaping the 2025 holiday threat surface. The findings reveal a clear trend: Attackers are moving faster, automating more, and capitalizing fully on the seasonal surge.

This blog summarizes the key insights from the new FortiRecon Cyberthreat Landscape Overview for the 2025 Holiday Season from FortiGuard Labs and offers guidance for organizations preparing the busiest online shopping period of the year.

A Rapid Expansion of Malicious Holiday-Themed Infrastructure

One of the clearest indicators of pre-holiday attacker activity is domain registration. FortiGuard identified more than 18,000 holiday-themed domains registered in the past three months, including terms such as “Christmas,” “Black Friday,” and “Flash Sale.” At least 750 of these were confirmed malicious. This indicates many domains are still considered non-malicious, posing a potential risk.

A parallel surge occurred among domains imitating major retail brands. Attackers registered over 19,000 e-commerce-themed domains, of which 2,900 were malicious. Many mimic household names, often with slight variations that are easy to miss when shoppers are moving quickly.

These domains support phishing, fraudulent storefronts, gift card scams, and payment-harvesting schemes. They also contribute to SEO poisoning campaigns that artificially inflate malicious URLs in search results during peak shopping events.

Record Volumes of Stolen Account Data Fuel Credential Abuse

The report also shows a striking increase in the availability and use of stealer logs. Over the last three months, more than 1.57 million login accounts tied to major e-commerce sites, available through stealer logs, were collected across underground markets.

Stealer logs contain browser-stored passwords, cookies, session tokens, autofill data, and system fingerprints. During the holidays, users log in to multiple accounts across devices, making these logs especially valuable.

Criminal marketplaces now index these logs with search filters, reputation scores, and automated delivery systems. This significantly reduces the skill barrier, enabling rapid credential stuffing, account takeover, and unauthorized purchases.

The report also notes active “holiday sales” on card dumps and CVV datasets. Threat actors use Black Friday–style promotions to push stolen financial data at discounted prices, fueling an uptick in fraud.

Critical Vulnerabilities in E-Commerce Platforms

Attackers are actively exploiting vulnerabilities across Adobe/Magento, Oracle E-Business Suite, WooCommerce, Bagisto, and other common e-commerce platforms. Three vulnerabilities stand out:

• CVE-2025-54236 (Adobe/Magento)
  Public reporting suggests this vulnerability is being exploited to achieve session takeover and remote code execution through improper input validation. More than 250 Magento stores have shown signs of compromise.
• CVE-2025-61882 (Oracle EBS)
  Used by ransomware groups to execute unauthenticated remote code execution, steal ERP data, and disrupt order and inventory systems.
• CVE-2025-47569 (WordPress WooCommerce Ultimate Gift Card plugin)
  Poses a significant security risk to WooCommerce-based online stores, as successful exploitation could allow attackers to manipulate or exfiltrate sensitive database information. Threat actors in the darknet are selling access to database data by exploiting this vulnerability.

Across platforms, vulnerabilities in plugins, templates, and API authentication are enabling payment skimming, XSS exploitation, privilege escalation, and unauthorized file uploads.

Magecart-style JavaScript injection remains one of the most persistent and damaging threats, allowing attackers to skim payment data directly from checkout pages.

Industrialized Tools and Services Driving Attack Scale

This year’s threat activity is driven by a high level of automation, supported by a mature ecosystem of services that eliminates the need for attackers to build their own tools or infrastructure. AI-powered brute-force frameworks now handle large volumes of login attempts with human-like timing and behavior, making credential attacks more difficult to detect. Credential validation tools tailored for WooCommerce, WordPress, FTP, SMTP, and common admin panels allow attackers to quickly test and confirm stolen usernames and passwords across entire fleets of sites. And bulk proxy and VPN services offer rotating IP addresses and geographic diversity, which helps prevent automated activity from triggering rate limits or geofencing controls.

Instant-setup hosting for phishing pages or malware delivery has become a staple offering, providing attackers with ready-made servers that require minimal configuration. New website-cloning services can reproduce full storefronts for use in fraud campaigns, while automated SIP platforms support high-volume vishing attempts with spoofed caller IDs. SMS spam panels extend these capabilities into smishing campaigns, letting attackers target shoppers with fake delivery notices or discount offers.

SEO manipulation packages are also being marketed to push malicious URLs higher in search results, increasing the likelihood that hurried shoppers will click on them. In parallel, specialized services install payment skimmers or backdoors on CMS-based platforms, enabling long-term data theft. Even the monetization side is now being commoditized, with detailed tutorials circulating on how to convert stolen e-wallet balances and gift-card credits into cash or resalable assets.

The combined effect is a tightly integrated marketplace where attackers can prepare at scale for the holiday surge. Many of these tools and services even advertise “holiday specials,” reflecting how closely they mirror legitimate seasonal promotions.

Monetization: Turning Compromise into Profit

Underground markets are showing a clear rise in listings tied to e-commerce compromise, and the scale reflects how organized these operations have become. Threat actors are selling full customer databases pulled from breached online stores, along with millions of leaked WooCommerce records containing shopper and merchant details.

Payment tokens and customer contact information appear frequently, as do browser cookies that allow buyers to bypass passwords and multi-factor authentication (MFA) altogether. Some listings even offer administrative or FTP access to high-revenue retail sites, giving attackers direct control over backend systems. Others are recruiting accomplices for cash-out operations, enabling rapid laundering or monetization of stolen balances and fraudulent purchases.

Because the holiday season brings higher transaction volumes and more rapid purchasing behavior, compromised accounts move quickly through these markets. Stolen sessions with active shopping histories are especially valuable, as they closely resemble legitimate user activity and are much harder to detect in real time.

What This Means for Business Leaders

The findings show a clear pattern: Attackers are operating with greater speed, automation, and commercial organization. The traditional holiday spike in cyber activity now intersects with large stealer-log ecosystems, commodity AI tooling, and widespread vulnerabilities in e-commerce infrastructure.

For CISOs, fraud teams, and e-commerce leaders, this is not a temporary challenge confined to the holiday window. It reflects broader trends in attacker tooling and monetization that will persist into 2026.

What You Can Do: Best Practices

A few practical steps taken early can significantly reduce the risk of fraud, account takeover, or payment-page compromise. The following best practices outline what organizations and consumers can do to stay ahead of the most common threats during the 2025 shopping season.

Best practices for organizations

• Keep all e-commerce platforms, plugins, themes, and third-party integrations fully updated, and remove anything not being used.
• Enforce HTTPS everywhere and secure session cookies, administrative pages, and checkout flows.
• Require MFA on administrative and high-risk accounts and enforce strong password policies.
• Use bot management, rate limiting, and anomaly detection tools to reduce credential abuse.
• Monitor for deceptive or lookalike domains impersonating your brand and act quickly on takedowns.
• Scan for unauthorized script changes and deploy controls to detect payment-page tampering or skimmers.
• Centralize logging to monitor for suspicious administrative actions, session hijacking, or unusual database access.
• Ensure that your fraud, security, and customer support teams follow a shared cyber-event escalation path throughout the holiday period.

Best practices for end-users

• Verify website URLs carefully before entering login or payment information.
• Use credit cards or trusted payment processors that offer fraud protection.
• Enable MFA on shopping, email, and banking accounts.
• Avoid public Wi-Fi or use a VPN when making purchases or managing financial accounts.
• Be cautious with unsolicited messages and unrealistic promotions, particularly those tied to deliveries or discounts.
• Review your bank and card statements regularly to quickly detect unauthorized charges.

Want the Full Data Set?

For deeper details, the full FortiRecon Cyberthreat Landscape Overview for the 2025 Holiday Season from FortiGuard Labs goes beyond the highlights covered here. It includes complete domain-registration analysis, vulnerability tables with CVSS scores and exploitation notes, threat actor posts with screenshots and marketplace listings, detailed breakdowns of attacker tools and how they function, and tailored recommendations for different organizational roles.

Download the full report to prepare your security, fraud, and e-commerce teams for the 2025 holiday season.

Fortinet Protections

Fortinet security solutions provide multiple layers of protection against the techniques, infrastructure, and malware activity described in this report. FortiGate, FortiMail, FortiClient, and FortiEDR all support the FortiGuard Antivirus Service, which detects and blocks malicious files, payloads, and stealer-log malware families used in many holiday-season campaigns. Customers with up-to-date FortiGuard protections are safeguarded across network, endpoint, and email vectors.

FortiMail plays a central role in stopping phishing attempts tied to fake promotions, fraudulent storefronts, and delivery scams. It identifies and quarantines malicious URLs, spoofed sender domains, and credential-harvesting forms commonly used against holiday shoppers and retail employees. Real-time anti-phishing detection provided by FortiSandbox, embedded in FortiMail, FortiGate, and FortiClient, adds another layer by identifying both known and unknown phishing attempts, including polymorphic or AI-generated lures.

Fortinet’s Security Awareness and Training Service, along with the FortiPhish phishing-simulation platform, helps organizations strengthen their human layer of defense. These services train and test employees against social engineering tactics such as fake delivery alerts, credential-reset scams, and look-alike retail domains. This reduces the likelihood that attackers can exploit holiday-related rush, distraction, or urgency.

FortiGuard Web Filtering and IP Reputation services block access to malicious domains, stealer-log marketplaces, fraudulent e-commerce sites, and the attacker infrastructure highlighted in this report. FortiGuard Anti-botnet and C2 Service helps prevent command-and-control communication from infected devices on the network. The FortiGuard Content Disarm and Reconstruction Service, available on both FortiGate and FortiMail, neutralizes malicious scripts and embedded threats before they reach users.

If you believe your organization has been impacted by any of the threats described in this report, Fortinet’s global FortiGuard Incident Response team is available to help with investigation, containment, and remediation.