In a recent development, cybersecurity researchers have uncovered a highly sophisticated web skimming campaign that leverages a deprecated API from Stripe, a leading payment processing platform, to validate stolen payment card information before exfiltration. This method ensures that only valid card data is transmitted to the attackers, enhancing the efficiency of their operations and complicating detection efforts.
Overview of the Campaign
The campaign, active since at least August 20, 2024, has impacted approximately 49 merchants to date. Of these, 15 have successfully removed the malicious script injections from their websites. The attackers exploit vulnerabilities and misconfigurations in popular e-commerce platforms such as WooCommerce, WordPress, and PrestaShop to inject the initial stage of their malicious code.
Technical Details of the Attack
The attack unfolds in several stages:
1. Initial Compromise: The attackers gain access to the target website by exploiting security weaknesses in the site’s infrastructure.
2. Loader Script Deployment: A loader script is injected into the compromised site. This script is responsible for decoding and launching a Base64-encoded second-stage payload, which contains the URL pointing to the actual skimming script.
3. Skimmer Activation: The skimming script is designed to intercept and conceal the legitimate payment form on the checkout page. It then overlays a fraudulent form that closely mimics the appearance of the legitimate Stripe payment interface.
4. Data Validation and Exfiltration: When a user enters their payment details into the fake form, the skimmer captures this information and uses Stripe’s deprecated api.stripe[.]com/v1/sources API to validate the card details. Only valid card information is then exfiltrated to a remote server in a Base64-encoded format.
This method not only ensures the attackers collect only usable card data but also maintains the appearance of a normal transaction process, thereby reducing the likelihood of detection.
Implications and Broader Impact
The use of a deprecated API in this campaign highlights the risks associated with outdated or unsupported software components. It underscores the importance for organizations to regularly update and secure their systems to prevent such exploits.
Furthermore, the campaign’s ability to impersonate payment forms from other service providers, such as Square, indicates that the attackers are broadening their targets. The inclusion of cryptocurrency payment options like Bitcoin, Ether, Tether, and Litecoin in the skimming code suggests an adaptation to the evolving payment landscape, potentially increasing the scope and profitability of their operations.
Recommendations for Mitigation
To defend against such sophisticated web skimming attacks, organizations should consider the following measures:
– Regular Security Audits: Conduct comprehensive and frequent security assessments to identify and remediate vulnerabilities in web applications and infrastructure.
– Update and Patch Systems: Ensure that all software components, including APIs and plugins, are up-to-date and patched against known vulnerabilities.
– Implement Content Security Policies (CSP): Utilize CSP headers to restrict the sources from which scripts can be loaded, thereby preventing unauthorized script execution.
– Monitor for Anomalous Activity: Deploy monitoring tools to detect unusual behaviors, such as unexpected changes to payment forms or unauthorized script injections.
– Educate Staff and Users: Provide training on recognizing phishing attempts and the importance of secure coding practices to reduce the risk of initial compromise.
By adopting these proactive measures, organizations can enhance their defenses against web skimming attacks and protect sensitive customer information from being compromised.
