Stripe API Skimming Campaign: Additional Victims & Insights

April 4, 2025, 9:04 a.m.

Description

A sophisticated web skimming campaign has been discovered, utilizing a legacy Stripe API to validate stolen payment details before exfiltration. The attack involves multiple stages, including malicious loader injection, decoding, and skimming. Jscrambler's research team identified 49 affected merchants and uncovered additional domains potentially involved in the campaign. The skimmers are tailored for each targeted site and exploit vulnerabilities in e-commerce platforms. The attackers employ minimal obfuscation and transmit stolen data without encryption. The campaign has been active since August 2024, primarily targeting WooCommerce and WordPress sites. To protect against such attacks, merchants are advised to implement real-time webpage monitoring and adopt hardened iframe implementations.

External References

https://jscrambler.com/blog/stripe-api-skimming-campaign
https://otx.alienvault.com/pulse/67ef0694c316fa098bbc9279
Tags
wordpress
e-commerce
javascript injection
web skimming
payment fraud
stripe api
woocommerce
2025-04-03
client-side security

Date

  • Created: April 3, 2025, 10:07 p.m.
  • Published: April 3, 2025, 10:07 p.m.
  • Modified: April 4, 2025, 9:04 a.m.

Indicators

  • 149.255.35.143
  • 146.70.53.157
Download all indicators here!

Attack Patterns

Additional Informations

  • Retail
  • Finance
  • 3PFZG97VbmmJcuGz3GN1j7C5b2TR9o597S
  • 3NMvSSB1Cju2tKBJVcE6JBMARaHUTsxv3W
  • 3N58EQPyTVPj9fWcyBxEsFUEfnU72CxRho
  • 3Hzi9EJkGEPq2M6Xk6kjthRJT99qM9t64F
  • 39kDs8XUEAzwrNrT9iQJqVZKafk96To1Po
  • 3GHDteZ8LH6wYGrPzoBByEwbVcUbpKkeHU
  • 3DTpBuuB1gEPm7EfwmWm1YKFfaFYnykAWt
  • 38xSCQFaoSt5qhFGRc5NyHFQQmgZBgtcA5
  • 35XK6WbrL93ACUUwx5mBXZrP6QCg6jomr7
  • 33MLWAaupK5PUBxgDG6gjNH6Qf4VAtFCia