Cybercriminal activity targeting online commerce platforms has intensified during the 2025 holiday shopping period, according to new research from FortiGuard Labs. The study indicates a sharp increase in malicious infrastructure creation, account compromise activity and targeted exploitation of e-commerce systems compared to previous years.
According to the findings, attackers began preparing months in advance of peak shopping season, using increasingly industrialised tools and services to scale attacks across platforms, geographies and merchant categories. FortiGuard Labs noted that the convergence of higher transaction volumes, digital payments and promotional events has created conditions that threat actors are actively exploiting.
The analysis is based on data collected over the past three months and forms part of the FortiRecon Cyberthreat Landscape Overview for the 2025 holiday season. According to the researchers, attackers are operating with greater speed and automation, taking advantage of seasonal surges in online activity.
“What stands out this year is how professional and automated holiday season cybercrime has become. Attackers are planning months ahead and targeting online commerce platforms when transaction volumes are at their highest. For Indian organisations, especially those running e commerce and digital payment platforms, this reinforces the need for strong visibility across systems and the ability to detect unusual behaviour quickly, particularly during busy sales and promotional periods,” said Vivek Srivastava, Country Manager, India & SAARC, Fortinet.
Growth in holiday-themed malicious infrastructure
One of the earliest indicators of attacker preparation highlighted in the report is domain registration activity. FortiGuard Labs said it identified more than 18,000 holiday-themed domains registered over the past three months, incorporating terms such as “Christmas,” “Black Friday,” and “Flash Sale.” Of these, at least 750 domains were confirmed to be malicious, while many others remain unclassified and potentially risky.
The research also identified a surge in domains impersonating well-known retail brands. According to FortiGuard Labs, more than 19,000 e-commerce-themed domains were registered, with around 2,900 confirmed as malicious. These domains are commonly used to support phishing campaigns, fraudulent storefronts, gift card scams and payment-harvesting schemes, as well as SEO poisoning efforts that elevate malicious links in search results during peak shopping events.
Stolen credentials fuel account abuse
The report also points to a sharp increase in the availability of stolen account data. FortiGuard Labs observed that more than 1.57 million login credentials linked to major e-commerce platforms were collected via stealer logs and circulated through underground marketplaces over the past three months.
Stealer logs typically include browser-stored passwords, session cookies, autofill data and system fingerprints. According to the study, these datasets are particularly valuable during the holiday season, when users log into multiple shopping and payment accounts across devices.
FortiGuard Labs noted that criminal marketplaces have matured, offering searchable indexes, reputation scoring and automated delivery of stolen data. This has lowered the technical barrier for attacks such as credential stuffing, account takeover and unauthorised purchases. The report also highlighted seasonal discounts on card dumps and CVV datasets, which attackers use to accelerate fraud during high-volume shopping periods.
Automation and services driving attack scale
According to the researchers, much of the current threat activity is enabled by a mature ecosystem of automated tools and services. AI-assisted brute-force frameworks are being used to conduct large-scale login attempts with behaviour designed to evade detection. Credential validation tools tailored for common platforms such as WooCommerce, WordPress and administrative panels allow attackers to rapidly test stolen credentials.
The report also highlighted the widespread use of rotating proxy and VPN services to bypass rate limiting and geofencing, along with instant-deployment hosting for phishing sites and malware delivery. Other services include website cloning tools for fake storefronts, automated vishing platforms with spoofed caller IDs, and SMS-based smishing campaigns targeting shoppers with fake delivery or discount messages.
SEO manipulation services and tools designed to implant payment skimmers or backdoors into content management systems were also identified as part of the broader attack ecosystem. FortiGuard Labs noted that even monetisation has become commoditised, with tutorials and services focused on converting stolen gift cards, e-wallet balances and payment data into cash or resalable assets.
Implications for enterprises
The study suggests that the holiday surge reflects broader shifts in cybercrime rather than a short-term seasonal spike. According to FortiGuard Labs, identity-based attacks have overtaken network-level exploits as a primary attack vector, while data theft increasingly poses greater financial and regulatory risk than service downtime.
For CISOs, fraud teams and e-commerce leaders, the report argues that integrating detection, response and exposure management is becoming essential to move from reactive incident handling to more predictable and measurable cyber risk reduction—during the holiday season and beyond.