eCommerce platforms face AI-powered cyber threats for 2025 season

Organisations operating online retail platforms are facing a heightened level of cyber risk ahead of the 2025 holiday season, according to recent security research and threat analysis. Attackers are increasingly deploying automated, AI-enabled tactics and targeting both infrastructure and users, as a surge in online shopping and digital payment activity is creating new opportunities for cybercrime.

Malicious domains

Analysis of recent activity reveals a rapid growth in the creation of malicious and deceptive domains designed to mimic holiday sales and major retail brands. Over the past three months, more than 18,000 domains featuring holiday-related terms such as “Christmas,” “Black Friday,” and “Flash Sale” were registered. Of these, at least 750 have already been confirmed as malicious.

There has also been a large increase in domains imitating well-known eCommerce brands. Over 19,000 such domains were registered, nearly 2,900 of which were identified as malicious. These domains are being used to facilitate phishing, fraudulent storefronts, gift card scams, and payment data harvesting. They also support search engine optimisation (SEO) manipulation campaigns, which attempt to position malicious URLs prominently in search results during peak shopping periods.

Credential theft

The availability of stolen account credentials is fuelling credential abuse campaigns. Over 1.57 million user accounts from major eCommerce sites were identified as available for purchase on underground forums over the last quarter. These credentials are extracted from “stealer logs,” which contain browser-saved passwords, session cookies, and system details. Breaches of this kind are valuable as shoppers often access accounts on multiple devices during seasonal sales events.

Cybercriminal forums now offer advanced features such as search filters and automated delivery systems, making it easier for even low-skilled attackers to carry out credential stuffing, account takeovers, and unauthorised purchases. Additionally, cybercriminals are holding their own “holiday sales” on stolen card data and CVV identifiers, leading to increased financial fraud.

Platform vulnerabilities

Attackers are actively exploiting vulnerabilities in widely-used eCommerce platforms. Vulnerabilities identified as CVE-2025-54236 in Magento, CVE-2025-61882 in Oracle E-Business Suite, and CVE-2025-47569 affecting the WooCommerce Ultimate Gift Card plugin pose particular risks. Security analysis shows over 250 Magento shops have displayed signs of compromise related to these flaws.

Attacks exploiting these and other vulnerabilities are being used to achieve remote code execution, steal enterprise resource planning data, manipulate databases, install payment skimmers, and steal payment information at checkout. Magecart-style JavaScript injection remains prevalent for harvesting credit card details directly from online purchase forms.

Commercialised cybercrime

A mature ecosystem of tools and services now supports cybercrime at scale. AI-powered frameworks handle large account brute-force attacks with realistic human timing, evading detection. Data validation tools targeted at eCommerce platforms like WooCommerce and WordPress allow fast checks of stolen usernames and passwords. Bulk proxy and VPN services rotate attacker IP addresses, making defence based on geolocation or rate limiting less effective.

Other services allow attackers to instantly set up fake stores and phishing pages, launch high-volume phone and SMS-based scams, and manipulate search results to make malicious websites appear more credible. Payment skimming toolkits and backdoors offer options for long-lasting data collection, while instructions on monetising stolen digital wallet balances or gift card credits circulate through criminal forums and encrypted channels.

Exploiting the surge

Holiday season transaction volume gives attackers more opportunity to rapidly monetise compromises. Underground markets are seeing increased sales of entire customer databases and stolen WooCommerce records containing sensitive shopper and merchant information.

Listings can include live session cookies, which enable threat actors to bypass multi-factor authentication and impersonate genuine users, increasing the likelihood of fraudulent purchases going undetected. Administrative and backend access to retail systems is also for sale, facilitating direct intervention in high-value commerce operations.

Mitigation guidance

Security leaders are being advised to implement a series of measures to reduce risk. These include regularly updating all software, enforcing strong password policies and multi-factor authentication, monitoring for imitation domains, using bot management, centralising logging, and ensuring rapid response to suspicious activity.

Consumers are urged to verify website addresses before entering any payment details, use payment methods offering fraud protection, enable multi-factor authentication, and avoid public Wi-Fi for online purchases.

“The traditional holiday spike in cyber activity now intersects with large stealer-log ecosystems, commodity AI tooling, and widespread vulnerabilities in eCommerce infrastructure,” said Derek Manky, Chief Security Strategist and Global VP of Threat Intelligence, Fortinet.