- Researchers have found more than four dozen electronic commerce sites infected with a credit card skimmer
- The skimmer abused an obsolete striped api to validate the information
- Users are advised to migrate to the new API
The APIs of Stripe Legacy are diverted to treat fraudulent payments made on compromise electronic commerce sites, experts warned.
JSCRAMBLER cybersecurity researchers have described a campaign that has been continuing since at least August 2024, with at least 49 electronic commerce sites compromised with a credit card skimmer.
The final number of victims is probably much greater, however, because the investigation is still underway.
“Sophisticated campaign”
Of these 49 websites, however, the attackers injected a malicious JavaScript code which superimposed the legitimate payment page with a false. The superimposed destination page then collected people’s payment information and, in the end, served them a false error asking them to recharge the page.
The attackers would then use an old Stripe API, called “API.STRIPE[.]com / v1 / sources ”, to treat payments.
JSCRAMBLER says that attackers could also “do it easily”, using cardboard bots or dark web services.
However, there are advantages to the customer side, mainly, because all websites already used the API in the context of their normal payment flow.
In addition, many safety tools and researchers often use non -valid credit card details in the context of their work, so not to skim in these cases means being less likely to be detected.
How these websites were compromised is the assumption of anyone, but Jscrangler speculates that the attackers most likely abused different vulnerabilities and erroneous. WordPress and Prestashop WordPress sites were all targeted.
“This sophisticated web skimming campaign highlights the evolutionary tactics that attackers are not detected,” said researchers. “And as a bonus, they effectively filter non -valid credit card data, ensuring that only valid identification information is stolen.”
The best way to mitigate this risk is to use the new Stripe API to process information. That abused of these attacks was obsolete in favor of the Paymentmethods API in May 2024.
Via The Hacker News
