Holiday cyber threats surge as attackers exploit 2025 sales
By: Fortinet FortiGuard Labs
Every year, the holiday season brings a predictable surge in online activity. But in 2025, the volume of new malicious infrastructure, account takeover activity, and targeted exploitation of e-commerce systems is rising to unprecedented levels. Threat actors have been preparing for months, leveraging tools and services that let them scale attacks across platforms, regions, and retail categories.
For retailers, financial institutions, and any business running e-commerce infrastructure, the threat landscape has never been more aggressive. The sharp increase in online shopping, digital payments, and promotional events this year has created a perfect storm for cybercriminals.
Fortinet’s FortiGuard Labs threat team analyzed the last three months of data to uncover key patterns shaping the holiday 2025 cyber threat landscape. The findings reveal a clear trend: attackers are moving faster, automating more, and taking full advantage of holiday shopping behaviors.
This column summarizes the key findings from FortiGuard Labs’ FortiRecon report on the 2025 Holiday Cyber Threat Landscape and offers actionable guidance to help organizations prepare for the busiest online shopping season of the year.
A surge in holiday-themed malicious infrastructure
One early sign of holiday-focused cyber activity is domain registration. In the past three months alone, FortiGuard identified over 18,000 newly registered domains using holiday-related terms like “Christmas,” “Black Friday,” and “flash sales.” At least 750 were confirmed as malicious. Many others, while not flagged yet, still pose potential risks.
There was also a parallel spike in lookalike domains mimicking top retail brands. Over 19,000 domains tied to e-commerce were registered, with 2,900 confirmed as malicious. Many of these copy well-known names with subtle tweaks, easy to miss when shoppers are in a hurry. These sites enable phishing scams, fake stores, gift card fraud, and payment harvesting schemes.
Stolen credentials fuel record-level account abuse
The report also highlights a surge in the availability and usage of stolen identity logs. Over the last three months, more than 1.57 million login credentials tied to major e-commerce platforms have surfaced in underground markets. These logs include browser-saved passwords, cookies, session tokens, autofill data, and device fingerprints.
These underground marketplaces now offer advanced filters, reputation scores, and automated delivery systems, lowering the skill barrier for cybercriminals. Credential theft, account takeovers, and unauthorized purchases can now be launched in minutes.
Listings linked to e-commerce breaches are rising across the dark web. The scale of these operations speaks to their growing sophistication. With increased transaction volume and quicker buyer behavior during the holidays, compromised accounts sell fast. Logs with active shopping histories are especially valuable, as they closely mimic real user behavior, making them harder to detect in real time.
What you can do: Best practices to reduce risk
A few proactive steps, taken early, can dramatically reduce the risk of fraud, account takeover, and payment page compromise. Here are key best practices that organizations and consumers should follow to stay protected during the 2025 holiday shopping season.
Best practices for organizations
- Keep all e-commerce platforms, plugins, and third-party integrations up to date and remove any that aren’t in use.
- Enforce HTTPS everywhere and secure cookies, admin pages, and payment flows.
- Require multi-factor authentication (MFA) for high-risk admin accounts and enforce strong password policies.
- Use bot management tools, rate limiting, and anomaly detection to reduce credential abuse.
- Monitor for deceptive domains impersonating your brand and act quickly to take them down.
- Keep an eye out for unauthorized code changes and deploy controls to detect tampered payment pages or skimmers.
- Centralize logging to monitor suspicious admin actions, session hijacking, or unusual database access.
- Align fraud, security, and customer service teams on a shared cyber incident escalation path for the holiday period.
Best practices for consumers
- Double-check URLs before entering login credentials or payment information.
- Use credit cards or trusted payment processors that offer fraud protection.
- Enable MFA for shopping, email, and banking accounts.
- Avoid public Wi-Fi (or use a VPN) for shopping or financial transactions.
- Be cautious of unsolicited messages or unrealistic promotions, especially related to deliveries or discounts.
- Regularly review bank and card statements to catch unauthorized charges early.
