A newly uncovered web skimming campaign has revealed a sophisticated method of validating stolen payment card data using a deprecated Stripe API.
This innovative tactic enables attackers to ensure only valid card information is exfiltrated, making their operations more efficient and harder to detect.
How the Attack Works
The campaign employs a multi-stage approach to compromise online merchant checkout pages, primarily targeting platforms like WooCommerce, WordPress, and PrestaShop.
- Stage 1: Malicious Loader Injection
Attackers inject a loader script disguised as Google Analytics (GAO variant) into vulnerable websites. This script serves as the entry point for subsequent malicious code. - Stage 2: Decoding the Next Stage
A base64-encoded script is dynamically evaluated to fetch the URL for the final stage, bypassing static security controls like Web Application Firewalls (WAFs). - Stage 3: The Skimmer
The skimmer overlays a fake Stripe iframe on top of the legitimate one and clones the “Place Order” button. When users input payment details, the skimmer validates the card using Stripe’s API. If valid, the data is sent to an attacker-controlled server, while users receive an error message prompting them to reload the page.
Interestingly, this campaign also includes silent skimmer variants that operate without user-visible errors.
Additionally, attackers use local storage entries to prevent duplicate skimming attempts.
Scope of Impact
Jscrambler’s research identified 49 compromised merchants so far, with evidence suggesting the campaign has been active since August 2024.
The attackers use dynamically generated skimmer scripts tailored for each victim site, leveraging referrer headers to deliver specific versions of malicious code.
Moreover, researchers found over 20 additional domains hosted on the same IP addresses linked to this operation.
In some instances, attackers expanded their tactics by mimicking other payment platforms like Square or injecting cryptocurrency payment options via fake MetaMask wallet windows.
Why Stripe’s API?
The use of Stripe’s legacy API offers several advantages to attackers:
- It seamlessly integrates into existing payment flows without raising suspicion.
- Invalid card data is filtered out during client-side validation, reducing detection risks.
- Legitimate user devices and IP addresses make fraudulent activity indistinguishable from normal operations.
Despite these challenges, researchers noted that attackers often use outdated API versions or hardcoded keys, which could provide detection opportunities.
Mitigation Strategies
To combat web skimming attacks:
- Merchants should implement real-time webpage monitoring solutions like Jscrambler Webpage Integrity.
- Third-party service providers (TPSPs) can adopt hardened iframe implementations to prevent unauthorized modifications.
- Automated tools enforcing PCI DSS 4.0 standards offer critical protection for small merchants lacking cybersecurity expertise.
This campaign exemplifies the evolving tactics cybercriminals employ to evade detection while maximizing efficiency in stealing payment data.
Merchants are urged to prioritize robust security measures against client-side threats and monitor their websites for indicators of compromise (IOCs).
Also Read:
%20(1)%20(1).webp?w=1200&resize=1200,0&ssl=1&description=This innovative tactic enables attackers to ensure only valid card information is exfiltrated, making their operations more efficient and harder to detect.){kind=link}