Full Report
Cybercriminal activity is surging ahead of the 2025 holiday season. Deceptive domains, stolen accounts, and e-commerce attacks are accelerating. Here’s what leaders need to know.
Analysis Summary
# Incident Report: Pre-Holiday Cyber Surge Analysis (2025)
## Executive Summary
Security analysis detected a sharp, coordinated surge in pre-holiday cybercriminal activity preceding the 2025 holiday season, characterized by massive infrastructure buildup and exploitation of high-volume online commerce. Attackers weaponized deceptive domains and leveraged extensive stashes of stolen account credentials to facilitate widespread phishing, fraudulent storefronts, and account takeover (ATO) attacks against retailers and financial institutions. Organizations were urged to rapidly deploy layered defenses across network, email, and endpoint layers to mitigate known exploitation vectors.
## Incident Details
- **Discovery Date:** Preceding the Q4 2025 holiday season (Data analyzed over the *past three months* leading up to the report date of November 25, 2025).
- **Incident Date:** Ongoing surge detected across Q3/Q4 2025.
- **Affected Organization:** Multiple targets (Retailers, Financial Institutions, E-commerce platforms) across various geographies.
- **Sector:** E-commerce, Retail, Financial Services.
- **Geography:** Global (Implied by global retail activity and threat landscape analysis).
## Timeline of Events
### Initial Access
- **Date/Time:** Ongoing preparation leading into the holiday shopping peak (e.g., Black Friday).
- **Vector:** Creation of malicious infrastructure (deceptive domains) and procurement of stolen credentials (stealer logs).
- **Details:** Over 18,000 holiday-themed domains were registered, with at least 750 confirmed malicious. Over 19,000 e-commerce-themed domains were registered, with 2,900 confirmed malicious, designed to mimic major retail brands.
### Lateral Movement
*Not explicitly detailed for specific victim networks, but highly implied through the use of stolen session tokens/cookies for Account Takeover (ATO).*
### Data Exfiltration/Impact
- **What was stolen or damaged:** Stolen login credentials, session tokens, cookies, autofill data, and financial data (CVV datasets/card dumps). Impact includes unauthorized purchases, fraudulent transactions, and potential PII/financial exposure via fraudulent storefronts.
### Detection & Response
- **How it was discovered:** FortiGuard Labs threat research analyzed domain registration patterns and underground market availability of stealer logs over the preceding three months.
- **Response actions taken (Recommendations based on available protections):** Deployment/update of FortiGate, FortiMail, FortiClient, and FortiEDR with active FortiGuard Antivirus Service; utilization of FortiMail and FortiSandbox for anti-phishing; deployment of Security Awareness Training; Web Filtering and IP Reputation to block adversarial infrastructure.
## Attack Methodology
- **Initial Access:** Phishing, fraudulent storefronts, SEO poisoning campaigns leading users to malicious URLs.
- **Persistence:** Not explicitly detailed in the context provided, but implied persistence via session tokens/cookies during account takeovers.
- **Privilege Escalation:** Likely bypassed due to the use of stolen session tokens/cookies, effectively granting immediate access equivalent to a logged-in user.
- **Defense Evasion:** Use of slight variations in retail domains to evade initial user scrutiny in high-pressure shopping scenarios.
- **Credential Access:** Harvesting of stored browser passwords, cookies, and session tokens via stealer logs purchased on underground markets (1.57 million accounts collected in 3 months).
- **Discovery:** N/A (Attackers sourced existing data dumps).
- **Lateral Movement:** Via compromised accounts using stolen session cookies/tokens.
- **Collection:** Acquisition of stealer logs containing comprehensive user data (passwords, autofill, etc.).
- **Exfiltration:** Focus on harvesting payment data and executing unauthorized transactions via ATO.
- **Impact:** Financial fraud, unauthorized purchases, PII exposure.
## Impact Assessment
- **Financial:** High risk of unauthorized purchases, card fraud losses associated with data dumps/CVV sales, and costs associated with potential account breaches for customers and retailers.
- **Data Breach:** Potential exposure of user PII, login credentials, payment information, and session data from over 1.57 million compromised accounts.
- **Operational:** Potential disruption to customer service and backend systems due to ATOs impacting retailer accounts.
- **Reputational:** Significant risk to retail brands due to phishing attacks mimicking their promotions.
## Indicators of Compromise
- **Network indicators:** Access attempts to newly registered deceptive/e-commerce mimicking domains (Defanged example: `hxxp://suspicious-blackfriday[.]com`).
- **File indicators:** Stealer-log malware families.
- **Behavioral indicators:** High volume of login attempts sourced from known stealer log marketplace access points; unusual session activity following login via harvested cookies.
## Response Actions
- **Containment measures:** Blocking access to known malicious domains via Web Filtering and IP Reputation services; quarantining emails containing phishing lures or links.
- **Eradication steps:** Anti-malware scans for stealer-log malware families on endpoints; forcing password resets for potentially compromised internal accounts utilizing employee credentials (if applicable).
- **Recovery actions:** Restoring customer trust through transparency; deploying high-alert monitoring on payment gateways during peak sales.
## Lessons Learned
- **Key takeaways:** Threat actors are leveraging highly industrialized, automated services (searchable stealer logs, automated delivery) to drastically lower the barrier to entry for credential abuse during peak seasons. The volume of newly registered deceptive infrastructure (over 37,000 unique high-risk domains identified) indicates coordinated pre-planning by threat groups.
- **What could have been done better:** Organizations must proactively simulate attacks (phishing simulations) tailored to holiday urgency to train staff against novel lures.
## Recommendations
- **Prevention measures for similar incidents:** Implement real-time Web Filtering and DNS protection to block access to newly registered malicious domains immediately. Leverage **Content Disarm and Reconstruction (CDR)** services to neutralize embedded scripts in incoming documents/emails. Enhance **Multi-Factor Authentication (MFA)** usage across all critical systems, even for seemingly low-risk logins, to neutralize the value of stolen session tokens/cookies.