Legacy Stripe API Exploited to Validate Stolen Payment Cards in Web Skimmer Campaign
Threat hunters are warning of a sophisticated web skimmer campaign that leverages a legacy application programming interface (API) from payment processor Stripe to validate stolen payment information prior to exfiltration.
"This tactic ensures that only valid card data is sent to the attackers, making the operation more efficient and potentially harder to detect," Jscrambler researchers Pedro Fortuna, David Alves, and Pedro Marrucho said in a report.
As many as 49 merchants are estimated to have been affected by the campaign to date. Fifteen of the compromised sites have taken action to remove the malicious script injections. The activity is assessed to be ongoing since at least August 20, 2024.
Details of the campaign were first flagged by security firm Source Defense towards the end of February 2025, detailing the web skimmer's use of the "api.stripe[.]com/v1/sources" API, which allows applications to accept various payment methods. The endpoint has since been deprecated in favor of the new PaymentMethods API.
The attack chains employ malicious domains as the initial distribution point for the JavaScript skimmer that's designed to intercept and hide the legitimate payment form on order checkout pages, serve a replica of the legitimate Stripe payment screen, validate it using the sources API, and then transmit it to a remote server in Base64-encoded format.
Jscrambler said the threat actors behind the operation are likely leveraging vulnerabilities and misconfigurations in WooCommerce, WordPress, and PrestaShop to implant the initial stage script. This loader script serves to decipher and launch a Base64-encoded next-stage, which, in turn, contains the URL pointing to the skimmer.
"The skimming script hides the legitimate Stripe iframe and overlays it with a malicious one designed to mimic its appearance," the researchers said. "It also clones the 'Place Order' button, hiding the real one."
Once the details are exfiltrated, users are displayed an error message, asking them to reload the pages. There is some evidence to suggest that the final skimmer payload is generated using some sort of tool owing to the fact that the script appears to be tailored to each targeted site.
The security company further noted that it uncovered skimmer scripts impersonating a Square payment form, suggesting that the threat actors are likely targeting several payment service providers. And that's not all. The skimming code has also been observed adding other payment options using cryptocurrencies like Bitcoin, Ether (Ethereum), Tether, and Litecoin.
"This sophisticated web skimming campaign highlights the evolving tactics attackers use to remain undetected," the researchers said. "And as a bonus, they effectively filter out invalid credit card data, ensuring that only valid credentials are stolen."
Genetic data site openSNP to close and delete data over privacy concerns
Europol Dismantles Kidflix With 72,000 CSAM Videos Seized in Major Operation
CVE-2025-22224 VMware ESXi and Workstation TOCTOU Race Condition Vulnerability
CVE-2025-2783 Google Chromium Mojo Sandbox Escape Vulnerability
CVE-2020-29574 CyberoamOS (CROS) SQL Injection Vulnerability
CVE-2022-43769 Hitachi Vantara Pentaho BA Server Special Element Injection Vulnerability
CVE-2022-43939 Hitachi Vantara Pentaho BA Server Authorization Bypass Vulnerability
CVE-2018-8639 Microsoft Windows Win32k Improper Resource Shutdown or Release Vulnerability
CVE-2024-40890 Zyxel DSL CPE OS Command Injection Vulnerability
CVE-2024-49035 Microsoft Partner Center Improper Access Control Vulnerability
CVE-2017-0148 Microsoft SMBv1 Server Remote Code Execution Vulnerability
HighPath Traversal
InformationalInformation Disclosure - Sensitive Information in HTTP Referrer Header
LowStrict-Transport-Security Missing Max-Age (Non-compliant with Spec)
InformationalContent Security Policy (CSP) Report-Only Header Found
MediumX-Frame-Options Defined via META (Non-compliant with Spec)
Free online web security scanner
