Menace hunters are warning of a classy internet skimmer marketing campaign that leverages a legacy utility programming interface (API) from fee processor Stripe to validate stolen fee data previous to exfiltration.
“This tactic ensures that solely legitimate card information is shipped to the attackers, making the operation extra environment friendly and doubtlessly more durable to detect,” Jscrambler researchers Pedro Fortuna, David Alves, and Pedro Marrucho stated in a report.
As many as 49 retailers are estimated to have been affected by the marketing campaign so far. Fifteen of the compromised websites have taken motion to take away the malicious script injections. The exercise is assessed to be ongoing since not less than August 20, 2024.
Particulars of the marketing campaign had been first flagged by safety agency Supply Protection in the direction of the top of February 2025, detailing the net skimmer’s use of the “api.stripe[.]com/v1/sources” API, which permits purposes to simply accept numerous fee strategies. The endpoint has since been deprecated in favor of the brand new PaymentMethods API.
The assault chains make use of malicious domains because the preliminary distribution level for the JavaScript skimmer that is designed to intercept and conceal the professional fee kind on order checkout pages, serve a duplicate of the professional Stripe fee display, validate it utilizing the sources API, after which transmit it to a distant server in Base64-encoded format.
Jscrambler stated the risk actors behind the operation are seemingly leveraging vulnerabilities and misconfigurations in WooCommerce, WordPress, and PrestaShop to implant the preliminary stage script. This loader script serves to decipher and launch a Base64-encoded next-stage, which, in flip, accommodates the URL pointing to the skimmer.
“The skimming script hides the professional Stripe iframe and overlays it with a malicious one designed to imitate its look,” the researchers stated. “It additionally clones the ‘Place Order’ button, hiding the true one.”
As soon as the main points are exfiltrated, customers are displayed an error message, asking them to reload the pages. There’s some proof to counsel that the ultimate skimmer payload is generated utilizing some kind of instrument owing to the truth that the script seems to be tailor-made to every focused website.
The safety firm additional famous that it uncovered skimmer scripts impersonating a Sq. fee kind, suggesting that the risk actors are seemingly focusing on a number of fee service suppliers. And that is not all. The skimming code has additionally been noticed including different fee choices utilizing cryptocurrencies like Bitcoin, Ether (Ethereum), Tether, and Litecoin.
“This refined internet skimming marketing campaign highlights the evolving ways attackers use to stay undetected,” the researchers stated. “And as a bonus, they successfully filter out invalid bank card information, guaranteeing that solely legitimate credentials are stolen.”
