Menace hunters are warning of a classy net skimmer marketing campaign that leverages a legacy utility programming interface (API) from fee processor Stripe to validate stolen fee info previous to exfiltration.
“This tactic ensures that solely legitimate card knowledge is shipped to the attackers, making the operation extra environment friendly and probably tougher to detect,” Jscrambler researchers Pedro Fortuna, David Alves, and Pedro Marrucho stated in a report.
As many as 49 retailers are estimated to have been affected by the marketing campaign to this point. Fifteen of the compromised websites have taken motion to take away the malicious script injections. The exercise is assessed to be ongoing since a minimum of August 20, 2024.
Particulars of the marketing campaign have been first flagged by safety agency Supply Protection in direction of the top of February 2025, detailing the online skimmer’s use of the “api.stripe[.]com/v1/sources” API, which permits functions to simply accept varied fee strategies. The endpoint has been deprecated in favor of the brand new PaymentMethods API as of Could 15, 2024.
The assault chains make use of malicious domains because the preliminary distribution level for the JavaScript skimmer that is designed to intercept and conceal the reliable fee kind on order checkout pages, serve a reproduction of the reliable Stripe fee display, validate it utilizing the sources API, after which transmit it to a distant server in Base64-encoded format.
Jscrambler stated the risk actors behind the operation are doubtless leveraging vulnerabilities and misconfigurations in WooCommerce, WordPress, and PrestaShop to implant the preliminary stage script. This loader script serves to decipher and launch a Base64-encoded next-stage, which, in flip, accommodates the URL pointing to the skimmer.
“The skimming script hides the reliable Stripe iframe and overlays it with a malicious one designed to imitate its look,” the researchers stated. “It additionally clones the ‘Place Order’ button, hiding the true one.”
As soon as the main points are exfiltrated, customers are displayed an error message, asking them to reload the pages. There may be some proof to recommend that the ultimate skimmer payload is generated utilizing some kind of software owing to the truth that the script seems to be tailor-made to every focused website.
The safety firm additional famous that it uncovered skimmer scripts impersonating a Sq. fee kind, suggesting that the risk actors are doubtless focusing on a number of fee service suppliers. And that is not all. The skimming code has additionally been noticed including different fee choices utilizing cryptocurrencies like Bitcoin, Ether (Ethereum), Tether, and Litecoin.
“This subtle net skimming marketing campaign highlights the evolving techniques attackers use to stay undetected,” the researchers stated. “And as a bonus, they successfully filter out invalid bank card knowledge, making certain that solely legitimate credentials are stolen.”
