Full Report
Threat hunters are warning of a sophisticated web skimmer campaign that leverages a legacy application programming interface (API) from payment processor Stripe to validate stolen payment information prior to exfiltration. "This tactic ensures that only valid card data is sent to the attackers, making the operation more efficient and potentially harder to detect," Jscrambler researchers Pedro
Analysis Summary
# Tool/Technique: Web Skimmer Campaign Leveraging Legacy Stripe API
## Overview
A sophisticated web skimmer campaign observed targeting up to 49 merchants. The primary unique feature of this campaign is the exploitation of the **legacy Stripe API endpoint `api.stripe[.]com/v1/sources`** to validate stolen payment card information in real-time before exfiltration. This ensures only valid card data is sent to the attackers, increasing operational efficiency.
## Technical Details
- Type: Attack Technique/Malware (Web Skimmer Payload)
- Platform: Web Applications (e.g., running WordPress, WooCommerce, PrestaShop)
- Capabilities: Intercepting payment form data, overlaying legitimate payment iframes, real-time data validation via external API, cloning UI elements, supporting multiple payment types (including crypto).
- First Seen: Activity assessed to be ongoing since at least August 20, 2024.
## MITRE ATT&CK Mapping
* **TA0001 - Initial Access**
* T1190 - Exploit Public-Facing Application (Implied, via vulnerability/misconfiguration in e-commerce platforms)
* **TA0008 - Collection**
* T1056 - Input Capture
* T1056.001 - Keylogging
* T1056.004 - Input Capture: Data from Custom Application
* **TA0010 - Exfiltration**
* T1041 - Exfiltration Over C2 Channel (Data is Base64 encoded before transmission)
## Functionality
### Core Capabilities
- **Injection and Loader:** Utilizing vulnerabilities or misconfigurations in platforms like WooCommerce, WordPress, and PrestaShop to implant a loader script.
- **Decryption:** The loader script deciphers and launches a Base64-encoded next-stage payload containing the skimmer's configuration (including the C2 URL).
- **UI Mimicry:** Hiding the legitimate Stripe iframe and overlaying it with a malicious iframe designed to perfectly mimic the official interface.
- **Button Cloning:** Cloning and hiding the genuine "Place Order" button to control submission flow.
- **Data Exfiltration:** Transmitting stolen card details to a remote server in Base64-encoded format.
### Advanced Features
- **Real-time Validation:** Sending intercepted card data to the legacy Stripe `/v1/sources` API endpoint to check authenticity *before* sending the full batch to the attacker's server.
- **Payload Customization:** Evidence suggests the final skimmer payload is generated using a tool, causing it to appear tailored to each targeted site.
- **Multi-PSP Targeting:** Skimmer scripts observed impersonating not just Stripe, but also Square payment forms.
- **Cryptocurrency Support:** The skimmers have been observed adding options for Bitcoin, Ether (Ethereum), Tether, and Litecoin alongside payment cards.
## Indicators of Compromise
- File Hashes: [Not provided in the context]
- File Names: [Not provided in the context, but involve injected JavaScript]
- Registry Keys: [Not applicable/Not provided]
- Network Indicators:
- Stripe Validation Endpoint: `api.stripe[.]com/v1/sources` (Legacy/Deprecated)
- Potential C2/Exfiltration Domains: Malicious domains used as the initial distribution point for the loader script (specific domains not listed).
- Behavioral Indicators:
- Interception and replacement of legitimate payment iframes on checkout pages.
- POST requests to remote servers containing Base64 encoded data after a simulated payment failure prompt.
- Displaying an error message and requesting users to reload the page post-exfiltration attempt.
## Associated Threat Actors
- [Not explicitly named, described generally as threat actors behind the operation.]
## Detection Methods
- Signature-based detection: [Not explicitly detailed, but signatures could target payload structures or the use of the deprecated API endpoint.]
- Behavioral detection: Monitoring for unexpected JavaScript execution overlays on checkout IFrames or attempts to interact with payment APIs by unauthorized scripts.
- YARA rules: [Not provided in the context]
## Mitigation Strategies
- **API Migration:** Merchants must ensure they are using current, supported payment processing APIs (e.g., Stripe's PaymentMethods API) and discontinuing use of deprecated endpoints like `/v1/sources`.
- **File Integrity Monitoring (FIM):** Implement strict FIM on content management system files associated with checkout pages (e.g., JavaScript libraries, theme files) in WordPress, WooCommerce, and PrestaShop installations.
- **Supply Chain Security:** Regularly audit third-party extensions and plugins for unauthorized modifications or remote script injections.
- **Content Security Policy (CSP):** Implement a strong CSP to restrict which domains scripts can load resources from, potentially blocking the loading of the initial malicious loader script.
## Related Tools/Techniques
- Web Skimmers (Magecart variants are a common overall category).
- Attacks targeting payment processors' APIs.