2025 Black Friday Cybercrime Surge: How E-Commerce, Banking & Gaming Users Were Targeted
Executive Summary
During the 2025 Black Friday sales period, a massive wave of phishing, financial malware, and scam campaigns targeted global consumers across e-commerce, online banking, payment systems, and gaming platforms. Threat actors leveraged sophisticated phishing pages mimicking major retailers like Amazon, Alibaba, and Walmart, and deployed banking Trojans such as Maverick and Efimer via email and messaging apps. Over 6.4 million e-commerce phishing attempts and 1.09 million banking Trojan attacks were detected, with cybercriminals intensively exploiting shopping and gaming hype to harvest credentials, payment data, and digital assets.
This incident highlights an ongoing shift as cyber attackers increasingly time their campaigns around large global retail events, exploiting predictable user behavior and surges in online activity. Threats have diversified across platforms, with a notable rise in attacks on gaming services and dramatic increases in malicious activity leveraging Discord and Steam, signaling a pressing need for adaptive, multi-layered cyber defenses.
Why This Matters Now
This incident underscores the urgent risk facing consumers and retail businesses during major shopping events, as threat actors continue to escalate their tactics and expand their targets. With phishing, financial malware, and fraud surging during peak e-commerce periods, organizations must prioritize advanced threat detection, multi-factor authentication, and real-time user education to reduce rapidly evolving attack surfaces.
Attack Path Analysis
Threat actors began by delivering phishing emails and malicious links mimicking major retailers and gaming platforms to trick users into revealing credentials or installing banking trojans. After initial access, malware or compromised credentials allowed for privilege escalation, granting attackers access to sensitive payment systems or cloud resources. The adversary then sought to move laterally, exploring internal resources and targeting additional accounts and workloads associated with e-commerce or gaming services. Persistent command and control was maintained via remote access tools and covert channels, enabling continued malicious activity. Sensitive financial and personal data was exfiltrated through encrypted or obfuscated outbound traffic. Ultimately, attackers monetized stolen credentials and card data by selling them on the dark web, leading to financial loss and potential disruption for individuals or affected businesses.
Kill Chain Progression
Initial Compromise
Description
Attackers leveraged large-scale phishing campaigns and malicious emails themed around Black Friday, e-commerce, or gaming offers to lure victims into revealing credentials or downloading banking trojans.
Related CVEs
CVE-2025-24893
CVSS 9.8An eval injection vulnerability in XWiki Platform allows unauthenticated remote code execution via a crafted HTTP request.
Affected Products:
XWiki XWiki Platform – < 13.10.11, < 14.4.7, < 14.10.3
Exploit Status:
exploited in the wildCVE-2025-40600
CVSS 9.8A format string vulnerability in SonicOS SSL VPN interface allows remote code execution by unauthenticated attackers.
Affected Products:
SonicWall SonicOS – < 7.0.1-5050
Exploit Status:
exploited in the wildCVE-2025-25000
CVSS 8.8A type confusion vulnerability in Microsoft Edge allows remote code execution via crafted web content.
Affected Products:
Microsoft Edge – < 100.0.1185.50
Exploit Status:
proof of conceptReferences:
MITRE ATT&CK® Techniques
Phishing: Spearphishing Attachment
Phishing: Spearphishing Link
User Execution: Malicious File
Phishing
Valid Accounts
Input Capture: Keylogging
Adversary-in-the-Middle: ARP Cache Poisoning
Credentials from Web Browsers
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Secure Transmission of Cardholder Data
Control ID: 3.2.1
PCI DSS 4.0 – User and Authentication Management
Control ID: 10.2.1
NYDFS 23 NYCRR 500 – Cybersecurity Program
Control ID: 500.02
DORA – ICT Risk Management
Control ID: Article 9
NIS2 Directive – Cybersecurity Risk-management Measures
Control ID: Article 21
CISA ZTMM 2.0 – Identity and Access Management
Control ID: Identity Pillar
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Retail Industry
Direct targeting through phishing campaigns mimicking major retailers, payment fraud during Black Friday, and financial malware attacks exploiting peak shopping periods.
Banking/Mortgage
Banking trojans stealing credentials during checkout processes, phishing attacks targeting financial services, and compromised payment systems during high-volume transaction periods.
Computer Games
Massive 20 million attempted attacks on gaming platforms, Discord-based malware distribution increasing 14-fold, and phishing campaigns targeting gaming accounts and assets.
Financial Services
Payment system impersonation attacks, credential theft through fake checkout forms, and compliance violations related to encrypted traffic and data protection requirements.
Sources
- To buy or not to buy: How cybercriminals capitalize on Black Fridayhttps://securelist.com/black-friday-threat-report-2025/118083/Verified
- Critical XWiki Platform Vulnerability: The CVE-2025-24893 Eval Injection Crisis Shaking Enterprise Collaboration Systemshttps://www.siteguarding.com/security-blog/critical-xwiki-platform-vulnerability-the-cve-2025-24893-eval-injection-crisis-shaking-enterprise-collaboration-systems/Verified
- Vulnerability Summary for the Week of July 27, 2025https://cdn.nca.gov.sa/api/files/public/upload/8d480d91-bddb-45b9-8f85-877c75b56d70_Weekly_Vulnerabilities_Summary_27_Jul_to_02_Aug---Copy.pdfVerified
- CVE-2025-25000 | Armis Vulnerability Intelligence Databasehttps://cve.armis.com/cve-2025-25000Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Applying Zero Trust principles through segmentation, identity-aware policy, encrypted traffic inspection, egress restriction, and runtime threat detection would have contained the spread of malicious artifacts, minimized unauthorized access, and prevented exfiltration paths used by attackers throughout the kill chain.
Control: Threat Detection & Anomaly Response
Mitigation: Improved detection and alerting of phishing attempts and malicious file delivery.
Control: Zero Trust Segmentation
Mitigation: Limited pivot potential from compromised users or workloads.
Control: East-West Traffic Security
Mitigation: Detection and containment of unauthorized internal movement.
Control: Inline IPS (Suricata)
Mitigation: Detection and disruption of C2 communications.
Control: Egress Security & Policy Enforcement
Mitigation: Blocked unauthorized or anomalous data exfiltration attempts.
Autonomous detection, response, and containment mitigate business impact.
Impact at a Glance
Affected Business Functions
- E-commerce Transactions
- Customer Data Management
- Payment Processing
Estimated downtime: 5 days
Estimated loss: $5,000,000
Potential exposure of customer personal and financial data due to unauthorized access and data exfiltration.
Recommended Actions
Key Takeaways & Next Steps
- • Apply granular Zero Trust Segmentation to limit the blast radius of compromised accounts and workloads.
- • Enforce strict East-West Traffic Security between all cloud and on-prem resources to detect and block lateral movement by malware.
- • Deploy robust Egress Security & Policy Enforcement, including FQDN filtering and outbound inspection, to prevent exfiltration of sensitive data.
- • Integrate Threat Detection & Anomaly Response capabilities for continuous monitoring and rapid incident response across cloud environments.
- • Leverage Cloud Native Security Fabric for unified multicloud visibility, policy automation, and distributed inline protection against evolving phishing and malware campaigns.
