Stripe, credit cards stripped of their juice
- Javier Conejo del Cerro
- 4 abr
- 2 Min. de lectura
A silent but calculated campaign is targeting online retailers and unsuspecting shoppers alike. A group of threat actors has launched a sophisticated web skimming operation that abuses Stripe’s deprecated API endpoint to filter and validate stolen credit card data before exfiltration. The objective is surgical: steal only valid payment credentials and avoid detection.
This attack combines technical stealth with strategic precision—placing malicious scripts in checkout pages, mimicking legitimate payment interfaces, and using the legacy api.stripe[.]com/v1/sources endpoint to confirm that harvested card data is valid before sending it, Base64-encoded, to external servers.
Victims at Checkout
At least 49 e-commerce merchants built on platforms like WooCommerce, WordPress, and PrestaShop have been confirmed as victims. These websites were infected through misconfigurations or known plugin vulnerabilities, allowing attackers to inject malicious JavaScript.
Once loaded, the script hides the legitimate Stripe iframe and overlays a malicious one. The customer proceeds with the checkout unaware, interacting with a perfect replica of the payment interface. When payment details are entered, they are quietly validated through Stripe’s old API before being sent to the attackers.
To maintain stealth, the script even clones the “Place Order” button and displays a fake error message, prompting the user to reload the page while the data has already been stolen. In many cases, the final payload is customized for each targeted site, suggesting the use of a skimmer-generation toolkit.
Tailored Skimmers and Crypto Fraud
This isn’t just about Stripe. Some variants of the skimming toolkit impersonate Square’s payment UI or present additional cryptocurrency options including Bitcoin, Ether, Tether, and Litecoin. The threat actors are adapting the attack interface depending on the service detected on the victim site.
This level of customization enhances believability and increases the chance of a successful credential harvest. It also demonstrates the attackers’ ability to manipulate payment flows in a way that’s difficult for both users and website owners to detect—especially when only functional, validated payment data is being stolen.
Defensive Measures: Clean the Checkout
To mitigate this evolving threat, online merchants and developers must take several defensive steps:
Audit for Deprecated APIs: Identify and eliminate reliance on outdated endpoints such as api.stripe[.]com/v1/sources.
Inspect Payment iFrames: Validate that legitimate interfaces are loaded and not being replaced or overlaid by malicious scripts.
Patch CMS and Plugins: Keep WordPress, WooCommerce, and PrestaShop installations up to date, along with all third-party plugins and themes.
Implement Content Security Policy (CSP): Restrict the sources from which scripts can be loaded to reduce the surface area for injection attacks.
Deploy Runtime Protections: Use tools that detect DOM changes and monitor JavaScript behavior in real time to catch hidden skimmers.
Monitor for anomalies: Regularly inspect network traffic and JavaScript activity to detect unexpected behavior.
This campaign shows a growing trend in attacker sophistication, where web skimming is no longer just about form-jacking but about selectively harvesting only high-quality, validated data. The use of Stripe’s legacy API for real-time validation reflects a new standard in how web-based threats evolve.
Retailers must treat every component of their checkout process as a potential point of failure—and take proactive steps to inspect, secure, and harden their environments. In the battle for user trust, even invisible scripts can do visible damage.
Commentaires