- Attackers abuse Stripe API via Google Tag Manager
- Malware scours payment data from compromised Magento sites
- Stolen card details exfiltrated via api.stripe.com
Cybercriminals have turned Stripe into a malware hosting platform, in a new attack that steals online shoppers’ payment information. This is according to cybersecurity researcher Sansec, who discovered the campaign earlier this week.
Sansec claims that attackers managed to compromise some Magento/Adobe Commerce store websites and add a malicious Google Tag Manager (GTM) container.
However, when a buyer visits the website, the browser loads the GTM container from Google’s servers and when it reaches the checkout, the GTM code sends a request to Stripe’s API.
Steal information
GTM is a free tool that allows website owners to manage tracking, analytics, and other scripts on a website without directly modifying the site code. Since GTM is a widely used tool, loading code from googletagmanager.com seems completely normal and does not raise any red flags.
Since Stripe is an online payment processing platform that allows businesses to process financial transactions over the Internet, there is still no foul play. But GTM actually scrapes a Stripe customer record controlled by the attackers, inside which there are malicious JavaScript elements. The website downloads these elements, reassembles them into a working script, then runs them in the browser, turning Stripe into a storage locker for malicious code.
Once this script runs, it begins to “monitor” the checkout page. So when the victim enters their card details, the script copies everything including the card number, CVV, name, address and other relevant details.
Then, instead of immediately sending the data to the attackers, the malware first combines all the stolen information into a single string, applies XOR obfuscation, and stores the result locally in the browser. Then, the malware creates a fake Stripe client, splits the stolen data into two pieces, creates a new Stripe client object in the attacker’s Stripe account, and downloads the stolen information.
“The payload and stolen cards pass through api.stripe.com. Stores allow this domain by default, so the skimmer escapes content security policy rules and network filters that would otherwise flag traffic to an unknown skimmer domain,” Sansec explained.
The best antivirus for every budget
Follow TechRadar on Google News And add us as your favorite source to get our news, reviews and expert opinions in your feeds.
