Risk hunters are warning of a classy web skimmer campaign that leverages a legacy utility programming interface (API) from cost processor Stripe to validate stolen cost data previous to exfiltration.
“This tactic ensures that solely legitimate card knowledge is distributed to the attackers, making the operation extra environment friendly and probably more durable to detect,” Jscrambler researchers Pedro Fortuna, David Alves, and Pedro Marrucho said in a report.
As many as 49 retailers are estimated to have been affected by the marketing campaign so far. Fifteen of the compromised websites have taken motion to take away the malicious script injections. The exercise is assessed to be ongoing since not less than August 20, 2024.
Particulars of the marketing campaign have been first flagged by safety agency Supply Protection in the direction of the tip of February 2025, detailing the net skimmer’s use of the “api.stripe[.]com/v1/sources” API, which permits functions to simply accept varied cost strategies. The endpoint has since been deprecated in favor of the brand new PaymentMethods API.
The assault chains make use of malicious domains because the preliminary distribution level for the JavaScript skimmer that is designed to intercept and conceal the official cost type on order checkout pages, serve a duplicate of the official Stripe cost display, validate it utilizing the sources API, after which transmit it to a distant server in Base64-encoded format.
Jscrambler stated the risk actors behind the operation are doubtless leveraging vulnerabilities and misconfigurations in WooCommerce, WordPress, and PrestaShop to implant the preliminary stage script. This loader script serves to decipher and launch a Base64-encoded next-stage, which, in flip, accommodates the URL pointing to the skimmer.
“The skimming script hides the official Stripe iframe and overlays it with a malicious one designed to imitate its look,” the researchers stated. “It additionally clones the ‘Place Order’ button, hiding the true one.”
As soon as the small print are exfiltrated, customers are displayed an error message, asking them to reload the pages. There’s some proof to counsel that the ultimate skimmer payload is generated utilizing some form of instrument owing to the truth that the script seems to be tailor-made to every focused web site.
The safety firm additional famous that it uncovered skimmer scripts impersonating a Sq. cost type, suggesting that the risk actors are doubtless concentrating on a number of cost service suppliers. And that is not all. The skimming code has additionally been noticed including different cost choices utilizing cryptocurrencies like Bitcoin, Ether (Ethereum), Tether, and Litecoin.
“This refined internet skimming marketing campaign highlights the evolving techniques attackers use to stay undetected,” the researchers stated. “And as a bonus, they successfully filter out invalid bank card knowledge, guaranteeing that solely legitimate credentials are stolen.”
Source link