Holiday 2025 Sees Surge in Automated Cyberattacks, Stolen Logins

FortiGuard Labs reports an unprecedented acceleration in cyber threats for the 2025 Christmas holidays season, characterized by massive attack automation, malicious infrastructure expansion, and the compromise of more than 1.57 million e-commerce credentials. This increase in sophistication and volume results from strategic planning by threat actors seeking to maximize returns during the peak consumption season.

"Attackers started preparing months in advance, leveraging tools and services that allow them to scale attacks across multiple platforms, geographies, and merchant categories," reads the Cyber Threat Landscape Overview for the 2025 Holiday Season report.

The holiday season consistently brings a predictable increase in online activity, yet the 2025 landscape presents a notably higher volume of new malicious infrastructure and targeted system exploitation. High-traffic events, such as Black Friday and flash sales, create an environment for malicious actors to deploy aggressive attack vectors.

Data analysis from the last three months reveals that attackers seek not only direct financial fraud but also systematic account compromise and long-term data harvesting. The threat surface has expanded to include everything from deceptive domain registration to the exploitation of critical vulnerabilities in content management systems and enterprise resource planning systems.

Technical Analysis of the Threat Landscape

The FortiRecon report breaks down the specific tactics and compromised assets that define this critical period for corporate security. One precursor indicator of malicious activity is massive domain registration. In the last three months, FortiGuard Labs identified more than 18,000 holiday-themed domains, including terms such as "Christmas" and "Black Friday," of which at least 750 were classified as malicious.

Simultaneously, a parallel increase occurred in domains mimicking major retail brands. Attackers registered more than 19,000 e-commerce-themed domains, and 2,900 of these are malicious. These assets facilitate phishing campaigns, fraudulent storefronts, and payment harvesting strategies by using typographical variations that are difficult for the end user to detect.

In addition, credential abuse is being driven by a record volume of stolen data. Underground markets have collected more than 1.57 million login accounts linked to major e-commerce sites. These stealer logs are not limited to username and password combinations; they include session cookies, tokens, autofill data, and browser fingerprints.

The availability of stolen sessions with active purchase histories is critical because it allows attackers to simulate legitimate user behavior and evade real-time security controls. Automated systems commercialize these data by offering reputation scores and search filters, which reduces the technical barrier for fraud execution.

Critical Vulnerabilities and Code Execution

Attackers are exploiting known and zero-day vulnerabilities in e-commerce platforms. These include: 

• CVE-2025-54236 (Adobe Commerce): Known as SessionReaper, this vulnerability allows incorrect validation on REST API endpoints, which facilitates arbitrary command injection and persistence in compromised stores.

• CVE-2025-61882 (Oracle E-Business Suite): Exploited by ransomware groups such as Clop, this flaw allows unauthenticated remote code execution that severely affects backend enterprise resource planning systems.

• Third-Party Components: Plugins such as the WooCommerce Ultimate Giftcard plugin and Bagisto present vulnerabilities that allow privilege escalation and data theft.

Additionally, malicious JavaScript injection, known as Magecart-style attacks, remains a prevalent weakness in platforms such as Shopify and WooCommerce. This allows for the exfiltration of payment data directly from the browser of the client.

Automated Tools and Crime-as-a-Service

The criminal ecosystem has industrialized its operations through the use of tools driven by AI. Forums promote frameworks for brute-force attacks that use large language models to analyze web forms and evade detection by mimicking human behavior.

Additionally, attackers acquire preconfigured infrastructure services. These include phishing panels that automate spam filter evasion, website cloning services that create exact replicas of legitimate sites to intercept traffic, and residential proxies to anonymize attack traffic and evade geographic blocks.

“By understanding these attack patterns and implementing proactive security measures, both consumers and merchants can reduce exposure to financial loss and data breaches during the holiday shopping season,” reads the report.

FortiGuard Labs report recommends that organizations adopt a proactive defense posture. Essential measures include maintaining all e-commerce platforms and plugins up to date and removing unused components to reduce the attack surface.

Companies are also urged to enforce HTTPS everywhere to secure session cookies and payment flows. Furthermore, implementing mandatory multifactor authentication for administrative accounts and deploying bot management tools are critical steps to mitigate credential stuffing attacks.