- Attackers abuse the Stripe API via Google Tag Manager
- Malware skims payment data from compromised Magento sites
- Stolen card information exfiltrated through api.stripe.com
Cybercriminals have turned Stripe into a malware hosting platform in a new attack that steals people’s payment information from online shoppers. This is according to cyber security researchers Sansec, who discovered the campaign earlier this week.
Sansec says the attackers managed to compromise certain Magento/Adobe Commerce store websites and add a malicious Google Tag Manager (GTM) container.
But when a shopper visits the website, the browser loads the GTM container from Google’s servers, and when they reach checkout, the GTM code sends a request to Stripe’s API.
Steals the information
GTM is a free tool that lets website owners manage tracking, analytics and other scripts on a website without directly changing the website’s code. Since GTM is a widely used tool, loading code from googletagmanager.com looks completely normal and shows no red flags.
Since Stripe is an online payment processing platform that enables businesses to process financial transactions over the Internet, there is still no foul play. But GTM actually retrieves a Stripe customer registration controlled by the attackers, inside of which are pieces of malicious JavaScript. The website downloads these pieces, reassembles them into a working script, and then runs them in the browser, turning Stripe into a storage locker for malware code.
When that script runs, it starts “watching” the payment page, so when the victim enters their card details, the script copies everything, including the card number, CVV, name, address and other relevant details.
So, instead of sending the data to the attackers immediately, the malware first combines all the stolen information into one string, applies XOR obfuscation and stores the result locally in the browser. The malware then creates a fake Stripe customer, splits the stolen data into two chunks, creates a new Stripe customer object in the attacker’s stripe account, and uploads the stolen information.
“Both the payload and the stolen cards travel through api.stripe.com. Stores allow this domain by default, allowing the skimmer to bypass Content Security Policy rules and network filters that would otherwise flag traffic to an unknown skimmer domain,” Sansec explained.
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds.
