/vnd/media/agency_attachments/bGjnvN2ncYDdhj74yP9p.png)
/vnd/media/media_files/2025/08/14/indo-pak-cyber-conflict-signals-2025-08-14-12-59-25.jpg)
Every year, the holiday season brings a predictable surge in online activity. In 2025, however, the scale and sophistication of malicious activity targeting digital commerce have reached new levels. The volume of newly created malicious infrastructure, account compromise attempts and targeted exploitation of e-commerce systems is significantly higher than in previous years, reflecting how early and systematically attackers now prepare for peak shopping periods.
Threat actors began laying the groundwork months in advance, using industrialised tools and services that allow attacks to be deployed at scale across multiple platforms, geographies and merchant categories. For retailers, financial institutions and any organisation operating e-commerce or digital payment systems, the threat landscape has become more active and more closely tied to consumer behaviour than ever before. Rising online shopping volumes, expanded digital payments and aggressive promotional campaigns have created conditions that attackers are exploiting with precision.
An analysis of threat data from the past three months by FortiGuard Labs highlights clear shifts in the 2025 holiday threat surface. Attackers are moving faster, relying more heavily on automation and fully capitalising on the seasonal surge in online transactions.
“What stands out this year is how professional and automated holiday season cybercrime has become,” said Vivek Srivastava, Country Manager for India and SAARC at Fortinet. “Attackers are planning months ahead and targeting online commerce platforms when transaction volumes are at their highest. For Indian organisations, especially those running e-commerce and digital payment platforms, this reinforces the need for strong visibility across systems and the ability to detect unusual behaviour quickly, particularly during busy sales and promotional periods.”
Stolen credentials and fake domains power seasonal fraud
One of the clearest indicators of pre-holiday attacker activity is the rapid expansion of malicious infrastructure. FortiGuard identified more than 18,000 holiday-themed domain registrations in the past three months, using terms such as “Christmas”, “Black Friday” and “Flash Sale”. At least 750 of these domains were confirmed as malicious, while many others remain unclassified, posing an ongoing risk.
At the same time, attackers registered more than 19,000 domains designed to imitate major retail brands, with around 2,900 identified as malicious. These domains often use subtle variations of well-known names that are easy to overlook when shoppers are moving quickly. Such infrastructure supports phishing campaigns, fake online stores, gift card scams and payment-harvesting schemes, while also fuelling SEO poisoning efforts that push malicious links higher in search results during peak shopping events.
Another major driver of holiday fraud is the growing availability of stolen account data. Over the past three months, more than 1.57 million login accounts linked to major e-commerce platforms were collected and traded through underground markets via stealer logs. These logs contain browser-stored passwords, cookies, session tokens, autofill data and system fingerprints. During the holiday season, when users log into multiple accounts across devices, such data becomes especially valuable.
Criminal marketplaces have evolved to make this information easier to exploit, offering search filters, reputation scores and automated delivery systems that lower the skill barrier for attackers. This has accelerated credential stuffing, account takeover attempts and unauthorised purchases. The report also notes a rise in so-called “holiday sales” of card dumps and CVV datasets, with threat actors mirroring legitimate promotions to move stolen financial data at discounted prices.
Automation and underground markets drive profits at scale
The scale of these attacks is being enabled by a mature and highly automated ecosystem of tools and services. AI-powered brute-force frameworks can now conduct large volumes of login attempts with human-like timing and behaviour, making detection more difficult. Specialised credential validation tools allow attackers to rapidly test stolen usernames and passwords across platforms such as WooCommerce, WordPress and common administrative panels. Meanwhile, bulk proxy and VPN services provide rotating IP addresses and geographic diversity to bypass rate limits and geofencing controls.
Instant-setup hosting for phishing pages and malware delivery, website-cloning services that replicate full online storefronts, and automated platforms for vishing and smishing campaigns have become widely available. Attackers are also using SEO manipulation services to promote malicious URLs and deploying payment skimmers or backdoors on compromised content management systems to enable long-term data theft. Even monetisation has been commoditised, with detailed guidance circulating on how to convert stolen gift cards, e-wallet balances and credentials into cash or resalable assets. Many of these services openly advertise holiday-themed promotions, underscoring how closely cybercrime now mirrors legitimate seasonal commerce.
Underground markets show a corresponding rise in listings tied to e-commerce compromise. Threat actors are selling entire customer databases extracted from breached online stores, alongside millions of leaked WooCommerce records containing shopper and merchant data. Payment tokens, customer contact information and browser cookies that allow attackers to bypass passwords and multi-factor authentication appear frequently. Some listings even offer administrative or FTP access to high-revenue retail sites, while others recruit partners to assist with cash-out operations.
Higher transaction volumes and faster purchasing behaviour during the holiday season mean compromised accounts move quickly through these markets. Active sessions with established shopping histories are particularly valuable, as they closely resemble legitimate activity and are harder to detect in real time.
For business leaders, the findings point to a clear conclusion. Holiday-season cyber threats are no longer a short-term spike but part of a broader shift towards faster, more automated and commercially organised attacks. The convergence of large stealer-log ecosystems, commodity AI tooling and persistent weaknesses in e-commerce infrastructure suggests these risks will extend well beyond the festive period and into 2026.
Reducing exposure during the busiest shopping period requires preparation well in advance. Organisations need to ensure e-commerce platforms and third-party integrations are fully updated, enforce strong authentication and session security, and monitor continuously for anomalous behaviour. Equally important is coordination between security, fraud and customer support teams, so potential incidents are identified and escalated quickly.
For consumers, caution remains critical. Verifying website addresses, using payment methods with fraud protection, enabling multi-factor authentication and remaining sceptical of unsolicited messages or unusually generous promotions can significantly reduce risk. Regularly reviewing bank and card statements also helps identify unauthorised activity before it escalates.
As the 2025 holiday season demonstrates, cybercrime has become as seasonal, scalable and commercialised as online retail itself. Organisations and consumers alike now face a shared challenge: staying alert in an environment where speed, convenience and volume increasingly work in attackers’ favour.