Old Stripe APIs are being hijacked for credit card skimmer attacks
The old Sources API is being used in credit card skimmer attacks to filter invalid credit card data.
- Researchers found more than four dozen ecommerce sites infected with a credit card skimmer
- The skimmer abused a deprecated Stripe API to validate the information
- Users are advised to migrate to the new API
Legacy Stripe APIs are being hijacked to process fraudulent payments done on compromised ecommerce websites, experts have warned.
Cybersecurity researchers Jscrambler have outlined a campaign which has been ongoing since at least late August 2024, with at least 49 ecommerce sites compromised with a credit card skimmer.
The final number of victims is probably a lot bigger, though, since the investigation is still ongoing.
Monitor your credit score with TransUnion starting at $29.95/month
TransUnion is a credit monitoring service that helps you stay on top of your financial health. With real-time alerts, credit score tracking, and identity theft protection, it ensures you never miss important changes. You'll benefit from a customizable online interface with clear insights into your credit profile. Businesses also benefit from TransUnion’s advanced risk assessment tools.
Preferred partner (What does this mean?)View Deal
"Sophisticated campaign"
On these 49 websites, however, the attackers injected a malicious JavaScript code that overlaid the legitimate checkout page with a fake one. The overlaid landing page then harvested people’s payment information and, upon completion, served them a fake error asking them to reload the page.
The attackers would then use an old Stripe API, called “api.stripe[.]com/v1/sources”, to process the payments.
Jscrambler says that the attackers could “easily do that later” as well, using carding bots or dark web services.
However, there are benefits to doing it client-side, mostly since all websites were already using the API as part of their normal payment flow.
Furthermore, many security tools and researchers often use invalid credit card details as part of their work, so not skimming in these cases means being less likely to be detected.
How these websites got compromised is anyone’s guess, but Jscrambler speculates that the attackers were most likely abusing different vulnerabilities and misconfigurations. WooCommerce, WordPress, and PrestaShop sites were all targeted.
"This sophisticated web skimming campaign highlights the evolving tactics attackers use to remain undetected," the researchers said. "And as a bonus, they effectively filter out invalid credit card data, ensuring that only valid credentials are stolen."
The best way to mitigate this risk is to use the newest Stripe API to process the information. The one abused in these attacks has been deprecated in favor of the PaymentMethods API in May 2024.
Via The Hacker News
You might also like
- Private API keys and passwords found in AI training dataset - nearly 12,000 details leaked
- We've rounded up the best password managers
- Take a look at our guide to the best authenticator app
