By Stefanie Schappert, senior journalist at Cybernews
As holiday shopping ramps up, cybercriminals are unleashing a new wave of attacks designed to steal money, data, and personal information from unsuspecting shoppers.
Just released into the wild on Tuesday is the aptly named SantaStealer, a Window device- targeting malware that runs entirely in memory to avoid detection.
The infostealer, discovered by Rapid7 Labs, quietly collects passwords, documents, and digital wallets, bypassing traditional antivirus programs.
Currently being sold on Telegram and dark web forums – complete with professional marketing and even a $1000 lifetime plan – this Malware-as-a-Service (MaaS) is a stark example of how cybercrime is rapidly being industrialised, with attackers packaging complex threats for anyone willing to pay.
Fake Websites Trick Shoppers to Steal Payment Info
But the Christmas-themed SantaStealer is just the tip of the iceberg. Thousands of fake online stores and phishing campaigns have been circulating on the web this season, exploiting the holiday rush and consumer urgency.
Research by CloudSEK detected over 2,000 holiday-themed scam sites, many impersonating shopping giants such as Amazon and eBay, major retailers such as Walmart, Target, and Best Buy, and even high-end luxury brands Gucci and Louis Vuitton.
With identical templates, countdown timers, and fake trust badges, the bad guys know consumers will click through these so-called secure sites to catch limited-time deals – all while fraudsters harvest their payment information.
In fact, over 750 interconnected sites, including more than 170 Amazon-lookalikes, and over 1,000 .shop domains were reported.
NordVPN also reported a 250% increase in such AI-created sites in October alone, with fake eBay sites surging a staggering 525% just before Thanksgiving.
From AI-phishing Scams to Fake Holiday Invites
Phishing attacks are also on the rise, with scammers sending emails, texts, and social media messages that appear to come from trusted retailers, delivery services, or even charities.
Fake shipping notifications, holiday e-cards and Christmas party invites – from sites like Punchbowl and Eventbrite – once opened, can give attackers full control of devices, steal personal data, or even spread ransomware across networks.
With Mastercard reporting more than 70% of consumers struggling to identify phishing websites, the familiarity of holiday greetings makes victims more likely to trust the content, increasing the effectiveness of these attacks.
The addition of AI-driven phishing makes these attacks even more convincing, using cloned voices, realistic images, or deepfake videos to trick even cautious users.
But the threats don’t stop there. Charity scams and mail-based fraud are also rising sharply.
Fraudsters set up fake charities, copying legitimate nonprofit logos and websites, and push urgent donation requests through email, by phone, social media, or crowdfunding platforms.
During the season of giving, mail based fraud can trick the recipient to open malware-laced QR codes or visit fake websites for “more information,” or even receive “free gifts.”
These scams exploit goodwill, creating pressure with emotional appeals or claims of immediate need.
“Pause Before Acting” to Avoid Scams
Victims are said to often feel embarrassed or unsure how to respond when they are scammed, which is exactly what the bad guys are counting on.
According to the FBI’s Internet Crime Complaint Center (IC3), in 2024, holiday scams involving gift cards, online donations, and non-delivery fraud collectively cost victims nearly $1 billion, with credit card fraud adding another $199 million.
“If you feel pressured to act fast, pay money, or turn over personal information—take a beat. Stop and assess if what you’re being told is real,” warns FBI Director Kash Patel. “Your caution is your strongest defense.”
Recognizing subtle red flags — misspelled URLs, unusual sender addresses, or unsolicited attachments — is critical.
Always verify charities independently, avoid sending funds via gift cards, and treat unexpected downloads or drives with caution.
Always use multi-factor authentication where accounts allow, strong passwords, and monitor accounts regularly to add additional layers of protection.
Remember, scammers rely on haste and goodwill, something the holiday season naturally encourages.
The convergence of tech and brands 