Hackers Registered 18,000 Holiday-Themed Domains Targeting\u00a0\u2018Christmas,\u2019 \u2018Black Friday,\u2019 and \u2018Flash Sale\u2019
\n \t
\n
<\/BR>
\n
\n \t
\n
<\/BR><\/p>\n
The 2025 holiday season has unleashed an unprecedented wave of cyber threats, with attackers deploying industrialized infrastructure to exploit the global surge in online commerce.<\/p>\n
This year\u2019s threat landscape is characterized by a calculated expansion of deceptive digital assets, where criminals leverage automated tools to scale their operations across multiple merchant categories.<\/p>\n
The primary vector for these campaigns involves the mass creation of look-alike websites designed to mimic legitimate retailers and capture sensitive consumer data during peak shopping periods.<\/p>\n
One of the most significant indicators of this pre-holiday offensive is the registration of over 18,000 holiday-themed domains in the past three months alone.<\/p>\n
Targeting high-traffic keywords such as \u201cChristmas,\u201d \u201cBlack Friday,\u201d and \u201cFlash Sale,\u201d these domains serve as the backbone for phishing schemes and fraudulent storefronts.<\/p>\n
Many of these sites mimic household names with slight URL variations, making them nearly indistinguishable to hurried shoppers.<\/p>\n
While a portion of these domains<\/a> remain inactive to evade early detection, hundreds have already been weaponized to host gift card scams and payment-harvesting pages.<\/p>\n Fortinet security analysts identified<\/a> this extensive network of malicious infrastructure, noting that the campaign\u2019s scale facilitates effective SEO poisoning.<\/p>\n By artificially inflating the search rankings of these malicious URLs, attackers ensure their fraudulent sites appear alongside legitimate results during peak traffic.<\/p>\n The researchers further highlighted a disturbing rise in credential theft<\/a>, with over 1.57 million login accounts from major e-commerce sites currently circulating in underground markets.<\/p>\n These \u201cstealer logs\u201d contain browser-stored passwords, cookies, and session tokens, enabling rapid account takeovers that bypass traditional login defenses (Figure 1: Domain Registration Trends).<\/p>\n The sophistication of these attacks is most evident in the targeted exploitation of critical e-commerce vulnerabilities. Attackers are actively leveraging CVE-2025-54236, a critical flaw in Adobe Magento caused by improper input validation.<\/p>\n This vulnerability allows threat actors to execute a remote code execution (RCE) attack, effectively bypassing authentication layers to achieve session takeover.<\/p>\n By injecting malicious payloads into unvalidated input fields, attackers gain administrative access, enabling them to install persistent backdoors or JavaScript-based web skimmers<\/a> directly onto checkout pages.<\/p>\n Additionally, the exploitation of CVE-2025-61882 in Oracle E-Business Suite permits unauthenticated RCE, allowing ransomware groups to paralyze backend inventory systems.<\/p>\n These technical incursions are executed via automated scripts that continuously probe for unpatched systems, transforming a single vulnerability into a gateway for massive data exfiltration<\/a>.<\/p>\n This systematic exploitation underscores the critical need for merchants to apply patches immediately.<\/p>\n Follow us on\u00a0Google News<\/a>,\u00a0LinkedIn<\/a>,\u00a0and\u00a0X<\/a>\u00a0to Get More Instant Updates<\/strong>,\u00a0Set CSN as a Preferred Source in\u00a0Google<\/a>.<\/strong><\/p>\n The post Hackers Registered 18,000 Holiday-Themed Domains Targeting\u00a0\u2018Christmas,\u2019 \u2018Black Friday,\u2019 and \u2018Flash Sale\u2019<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\nTechnical Exploitation of Platform Vulnerabilities<\/strong><\/h2>\n
\n\n
\n \nCVE ID \/ Threat<\/th>\n Platform & Component<\/th>\n Vulnerability Type<\/th>\n Severity (CVSS)<\/th>\n Impact & Exploitation Details<\/th>\n Remediation \/ Action<\/th>\n<\/tr>\n<\/thead>\n \n CVE-2025-54236<\/strong><\/td>\n \nAdobe Commerce<\/strong> & Magento Open Source<\/strong>\n<\/td>\n Improper Input Validation<\/td>\n \n9.1<\/strong> (Critical)<\/td>\n \nActive Exploitation (SessionReaper):<\/strong> Allows unauthenticated attackers to hijack sessions and achieve Remote Code Execution (RCE)<\/strong>. Over 250 stores confirmed compromised. Attackers use this to inject skimmers and steal admin access.<\/td>\n \nPatch Immediately:<\/strong> Apply Adobe Security Bulletin APSB25-88<\/strong>. Ensure versions are upgraded to 2.4.7-p8, 2.4.6-p13, or 2.4.5-p15.<\/td>\n<\/tr>\n \n CVE-2025-61882<\/strong><\/td>\n \nOracle E-Business Suite<\/strong> (Oracle EBS)<\/td>\n Unauthenticated RCE<\/td>\n \n9.8<\/strong> (Critical)<\/td>\n \nRansomware Target:<\/strong> A flaw in the BI Publisher Integration<\/strong> allows attackers to execute code remotely without login. Actively used by ransomware groups (e.g., Clop) to steal ERP data and disrupt inventory\/order systems.<\/td>\n \nUpdate:<\/strong> Apply the Oracle Critical Patch Update (October 2025)<\/strong> immediately. Isolate EBS from public internet access if patching is delayed.<\/td>\n<\/tr>\n \n CVE-2025-47569<\/strong><\/td>\n \nWordPress WooCommerce<\/strong> (Ultimate Gift Card Plugin)<\/td>\n SQL Injection (SQLi)<\/td>\n \n9.3<\/strong> (Critical)<\/td>\n \nDatabase Exfiltration:<\/strong> Unauthenticated attackers can manipulate database queries to dump sensitive customer data (PII) and admin credentials. Darknet markets are currently selling access to breached stores using this flaw.<\/td>\n \nUpdate\/Patch:<\/strong> Update the WooCommerce Ultimate Gift Card<\/em> plugin to version > 2.8.10<\/strong>. If unable to update, disable the plugin immediately.<\/td>\n<\/tr>\n \n CVE-2025-62416<\/strong><\/td>\n \nBagisto<\/strong> (Laravel-based Platform)<\/td>\n Server-Side Template Injection (SSTI)<\/td>\n \nCritical<\/strong> (Risk)<\/td>\n \nRCE via Product Description:<\/strong> Attackers with product-creation access can inject malicious template code into product descriptions. When rendered by the server, this executes arbitrary code, leading to full server takeover.<\/td>\n \nUpdate:<\/strong> Upgrade Bagisto to version v2.3.8<\/strong> or later. Sanitize all product description inputs if using older versions.<\/td>\n<\/tr>\n \n CVE-2025-62417<\/strong><\/td>\n Bagisto<\/strong><\/td>\n CSV Formula Injection<\/td>\n High<\/strong><\/td>\n \nAdmin Compromise:<\/strong> Malicious product data (e.g., in a CSV export) can trigger formula execution when an admin opens the file in Excel\/Sheets, leading to command execution on the admin\u2019s local machine.<\/td>\n \nUpdate:<\/strong> Upgrade Bagisto to v2.3.8<\/strong>. Avoid opening untrusted CSV exports directly in spreadsheet software without sanitization.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n