- Researchers found more than four dozen ecommerce sites infected with a credit card skimmer
- The skimmer abused a deprecated Stripe API to validate the information
- Users are advised to migrate to the new API
Legacy Stripe APIs are being hijacked to process fraudulent payments done on compromised ecommerce websites, experts have warned.
Cybersecurity researchers Jscrambler have outlined a campaign which has been ongoing since at least late August 2024, with at least 49 ecommerce sites compromised with a credit card skimmer.
The final number of victims is probably a lot bigger, though, since the investigation is still ongoing.
“Sophisticated campaign”
On these 49 websites, however, the attackers injected a malicious JavaScript code that overlaid the legitimate checkout page with a fake one. The overlaid landing page then harvested people’s payment information and, upon completion, served them a fake error asking them to reload the page.
The attackers would then use an old Stripe API, called “api.stripe[.]com/v1/sources”, to process the payments.
Jscrambler says that the attackers could “easily do that later” as well, using carding bots or dark web services.
However, there are benefits to doing it client-side, mostly since all websites were already using the API as part of their normal payment flow.
Furthermore, many security tools and researchers often use invalid credit card details as part of their work, so not skimming in these cases means being less likely to be detected.
How these websites got compromised is anyone’s guess, but Jscrambler speculates that the attackers were most likely abusing different vulnerabilities and misconfigurations. WooCommerce, WordPress, and PrestaShop sites were all targeted.
“This sophisticated web skimming campaign highlights the evolving tactics attackers use to remain undetected,” the researchers said. “And as a bonus, they effectively filter out invalid credit card data, ensuring that only valid credentials are stolen.”
The best way to mitigate this risk is to use the newest Stripe API to process the information. The one abused in these attacks has been deprecated in favor of the PaymentMethods API in May 2024.
Via The Hacker News
