Sophisticated Web Skimmer Campaign Targets Stripe API for Validation of Stolen Payment Info
Threat hunters have identified a sophisticated web skimmer campaign using a legacy API from payment processor Stripe to validate stolen payment data before exfiltrating it, making the operation more efficient and harder to detect.
This tactic ensures that only valid card data is sent to the attackers, improving the skimming operation's success rate. According to researchers Pedro Fortuna, David Alves, and Pedro Marrucho from Jscrambler, this approach increases the operational stealth of the attack.
As of now, 49 merchants are estimated to have been affected by this campaign. Fifteen of the compromised sites have already removed the malicious script injections. The attack is believed to have been ongoing since at least August 20, 2024, with details of the operation first flagged by Source Defense in February 2025.
How the Web Skimmer Works
The campaign utilizes the “api.stripe[.]com/v1/sources” API, which enables apps to accept different payment methods. Although this endpoint has since been deprecated, it was initially exploited to validate stolen card data by replicating Stripe’s legitimate payment interface. The skimmer intercepts the checkout page, hides the actual payment form, and overlays it with a fake version of the Stripe payment form. After validating the stolen data, it transmits the information to a remote server in Base64-encoded format.
The attack chain begins with malicious domains that serve as the distribution point for a JavaScript skimmer. Vulnerabilities in platforms like WooCommerce, WordPress, and PrestaShop are believed to be exploited to implant the initial script. This loader script decodes the next-stage payload, which points to the skimmer script itself.
Once the user enters payment details, the skimmer clones the "Place Order" button, hides the real one, and proceeds to steal the information. After exfiltration, users are presented with an error message, prompting them to reload the page. There’s evidence suggesting that the skimmer payload is tailored to each targeted site, likely created using specialized tools.
Targeting Multiple Payment Providers
In addition to impersonating Stripe, researchers also discovered that the skimmer scripts were mimicking square payment forms, indicating that the attackers may be targeting other payment service providers. The skimming code has also been seen adding cryptocurrency payment options, including Bitcoin, Ether (Ethereum), Tether, and Litecoin, to the sites.
This web skimming campaign demonstrates the evolving tactics used by attackers to stay undetected while filtering out invalid card data, ensuring that only valid payment information is stolen. It highlights the increasingly sophisticated methods criminals employ to exfiltrate sensitive data and evade detection.
Found this article interesting? Follow us on X(Twitter) and FaceBook to read more exclusive content we post.
