Hackers Registered 18,000 Holiday-Themed Domains Targeting ‘Christmas,’ ‘Black Friday,’ and ‘Flash Sale’

In Cybersecurity News - Original News Source is cybersecuritynews.com by Blog Writer

The 2025 holiday season has unleashed an unprecedented wave of cyber threats, with attackers deploying industrialized infrastructure to exploit the global surge in online commerce.

This year’s threat landscape is characterized by a calculated expansion of deceptive digital assets, where criminals leverage automated tools to scale their operations across multiple merchant categories.

The primary vector for these campaigns involves the mass creation of look-alike websites designed to mimic legitimate retailers and capture sensitive consumer data during peak shopping periods.

One of the most significant indicators of this pre-holiday offensive is the registration of over 18,000 holiday-themed domains in the past three months alone.

Targeting high-traffic keywords such as “Christmas,” “Black Friday,” and “Flash Sale,” these domains serve as the backbone for phishing schemes and fraudulent storefronts.

Many of these sites mimic household names with slight URL variations, making them nearly indistinguishable to hurried shoppers.

While a portion of these domains remain inactive to evade early detection, hundreds have already been weaponized to host gift card scams and payment-harvesting pages.

Fortinet security analysts identified this extensive network of malicious infrastructure, noting that the campaign’s scale facilitates effective SEO poisoning.

By artificially inflating the search rankings of these malicious URLs, attackers ensure their fraudulent sites appear alongside legitimate results during peak traffic.

The researchers further highlighted a disturbing rise in credential theft, with over 1.57 million login accounts from major e-commerce sites currently circulating in underground markets.

These “stealer logs” contain browser-stored passwords, cookies, and session tokens, enabling rapid account takeovers that bypass traditional login defenses (Figure 1: Domain Registration Trends).

Technical Exploitation of Platform Vulnerabilities

The sophistication of these attacks is most evident in the targeted exploitation of critical e-commerce vulnerabilities. Attackers are actively leveraging CVE-2025-54236, a critical flaw in Adobe Magento caused by improper input validation.

This vulnerability allows threat actors to execute a remote code execution (RCE) attack, effectively bypassing authentication layers to achieve session takeover.

By injecting malicious payloads into unvalidated input fields, attackers gain administrative access, enabling them to install persistent backdoors or JavaScript-based web skimmers directly onto checkout pages.

CVE ID / Threat Platform & Component Vulnerability Type Severity (CVSS) Impact & Exploitation Details Remediation / Action
CVE-2025-54236 Adobe Commerce & Magento Open Source Improper Input Validation 9.1 (Critical) Active Exploitation (SessionReaper): Allows unauthenticated attackers to hijack sessions and achieve Remote Code Execution (RCE). Over 250 stores confirmed compromised. Attackers use this to inject skimmers and steal admin access. Patch Immediately: Apply Adobe Security Bulletin APSB25-88. Ensure versions are upgraded to 2.4.7-p8, 2.4.6-p13, or 2.4.5-p15.
CVE-2025-61882 Oracle E-Business Suite (Oracle EBS) Unauthenticated RCE 9.8 (Critical) Ransomware Target: A flaw in the BI Publisher Integration allows attackers to execute code remotely without login. Actively used by ransomware groups (e.g., Clop) to steal ERP data and disrupt inventory/order systems. Update: Apply the Oracle Critical Patch Update (October 2025) immediately. Isolate EBS from public internet access if patching is delayed.
CVE-2025-47569 WordPress WooCommerce (Ultimate Gift Card Plugin) SQL Injection (SQLi) 9.3 (Critical) Database Exfiltration: Unauthenticated attackers can manipulate database queries to dump sensitive customer data (PII) and admin credentials. Darknet markets are currently selling access to breached stores using this flaw. Update/Patch: Update the WooCommerce Ultimate Gift Card plugin to version > 2.8.10. If unable to update, disable the plugin immediately.
CVE-2025-62416 Bagisto (Laravel-based Platform) Server-Side Template Injection (SSTI) Critical (Risk) RCE via Product Description: Attackers with product-creation access can inject malicious template code into product descriptions. When rendered by the server, this executes arbitrary code, leading to full server takeover. Update: Upgrade Bagisto to version v2.3.8 or later. Sanitize all product description inputs if using older versions.
CVE-2025-62417 Bagisto CSV Formula Injection High Admin Compromise: Malicious product data (e.g., in a CSV export) can trigger formula execution when an admin opens the file in Excel/Sheets, leading to command execution on the admin’s local machine. Update: Upgrade Bagisto to v2.3.8. Avoid opening untrusted CSV exports directly in spreadsheet software without sanitization.

Additionally, the exploitation of CVE-2025-61882 in Oracle E-Business Suite permits unauthenticated RCE, allowing ransomware groups to paralyze backend inventory systems.

These technical incursions are executed via automated scripts that continuously probe for unpatched systems, transforming a single vulnerability into a gateway for massive data exfiltration.

This systematic exploitation underscores the critical need for merchants to apply patches immediately.

Follow us on Google News, LinkedIn, and X to Get More Instant UpdatesSet CSN as a Preferred Source in Google.