A sophisticated web skimming campaign leveraging Stripe’s legacy API has been uncovered by Jscrambler researchers. The attack injects malicious scripts into e-commerce checkout pages, capturing customer payment details before they reach Stripe’s secure processing system. The attackers use Stripe’s legitimate API to intercept and exfiltrate payment information, making detection difficult. The operation targets online merchants using Stripe, with 49 compromised merchants identified so far, though more are likely affected.
Unlike traditional skimmers, this campaign mimics legitimate functionality to avoid detection. The malicious JavaScript intercepts payment details as they are entered and sends them to attacker-controlled domains. Researchers note that businesses using third-party scripts may be vulnerable without proper security measures in place. The attack uses vulnerabilities in platforms like WooCommerce, WordPress, and PrestaShop to implant the initial script.
The skimming script hides Stripe’s legitimate payment iframe, replacing it with a malicious version to capture data. It also clones the ‘Place Order’ button, making the attack less noticeable to users. Once the stolen data is exfiltrated, users are shown an error message prompting them to reload the page. The payload is tailored to each targeted site, adding to the complexity of detection.
Jscrambler warns that the attack chain can also impersonate other payment forms like Square and even adds cryptocurrency options. This evolving web skimming tactic highlights how attackers adapt to bypass security and filter out invalid card data, ensuring they only steal valid payment credentials. Online merchants are advised to implement real-time monitoring and use secure iFrame solutions to mitigate the risk of skimming attacks.
