A sophisticated cyber attack campaign targeting online merchants has been discovered, where hackers are exploiting Stripe's legacy API to steal customer payment information. Security researchers at Jscrambler have identified 49 merchants affected by this ongoing campaign that began in August 2024.
The attackers inject malicious JavaScript code into e-commerce checkout pages, specifically targeting sites using popular platforms like WooCommerce, WordPress, and PrestaShop. This malicious code creates a fake payment form that mimics the legitimate Stripe interface while hiding the real payment elements.
What makes this attack particularly cunning is its use of Stripe's deprecated "sources" API endpoint to validate stolen card data before exfiltration. This validation step helps attackers ensure they only collect working payment credentials, making their operation more efficient and harder to detect.
"The skimming script hides the legitimate Stripe iframe and overlays it with a malicious one designed to mimic its appearance," explained researchers at Jscrambler. After capturing payment details, customers see an error message asking them to reload the page.
The investigation revealed that each skimmer appears customized for individual target sites, suggesting the use of automated tools by the threat actors. Beyond Stripe, researchers discovered similar attacks impersonating Square payment forms and even adding cryptocurrency payment options including Bitcoin, Ethereum, Tether, and Litecoin.
Of the 49 identified victims, only 15 merchants have successfully removed the malicious code so far. Security experts recommend implementing real-time webpage monitoring to detect unauthorized scripts and using secure iFrame solutions to prevent payment form hijacking.
The discovery highlights how cybercriminals continue to develop sophisticated methods to steal payment data while avoiding detection. Online merchants, particularly smaller businesses that may lack robust security resources, are advised to stay vigilant and regularly audit their payment systems for signs of compromise.