Security researchers are warning against a web skimming campaign that’s using a legacy API from Stripe to validate stolen cards and other payment information before cybercriminals use it for online transactions. Nearly 49 merchant websites are thought to have been affected so far.
Security firm Jscramble researchers David Alves, Pedro Fortuna, and Pedro Marrucho claim in their report that the malicious activity has been ongoing since at least August 20, 2024. However, only 15 of the compromised websites have taken action to remove the malicious code from their servers.
The campaign runs using malicious JavaScript snippets distributed via malicious domains. These snippets are designed to intercept and hide the payment form on legitimate websites and redirect users to a fake Stripe payment screen instead. To increase the campaign’s chances of success, it also clones the order-placing button and hides the real one.
Here, the attackers use the deprecated Striple API to validate the victim’s payment information and then send it to a remote server in Base64-encoded format. The tactic allows for more operational efficiency as attackers only get valid or active cards from their victims. This also makes the campaign harder to detect as there is little to no false information that gets flagged on the payment page on a website or when the attacker tries to use the stolen credentials.
Researchers claim that the campaign’s threat actors are likely exploiting vulnerabilities or misconfigurations in popular web platforms like PrestaShop, WooCommerce, and WordPress to plant a malicious JavaScript loader. Once the loader script is placed, it launches another payload containing the URL pointing to the skimmer.
After a victim’s card details have been verified, the bogus form throws an error and asks the user to reload the page. The legitimate page is loaded this time, and the user goes through the transaction as usual.
The script appears to be individually customised for each targeted website. Stripe isn’t the only payment service provider being targeted either. Researchers also found a similar skimmer targeting Square payment forms, suggesting that the campaign targets multiple payment providers to cover as much ground as possible. These fake payment pages also add more payment options using cryptocurrencies.
In the News: European law enforcement shuts down CSAM streaming service
