- Attackers abuse Stripe API via Google Tag Manager
- Malware steals payment data from compromised Magento sites
- Details of stolen cards exfiltrated via api.stripe.com
Cybercriminals have turned Stripe into a malware hosting platform, in a new attack that steals payment information from online shoppers. This is according to cybersecurity researchers Sansec, who discovered the campaign earlier this week.
Sansec says the attackers managed to compromise certain Magento/Adobe Commerce store websites and add a malicious Google Tag Manager (GTM) container.
However, when a shopper visits the website, the browser loads the GTM container from Google’s servers, and when it reaches checkout, the GTM code makes a request to the Stripe API.
Stealing information
GTM is a free tool that allows website owners to manage tracking, analytics, and other scripts on a website without directly modifying the site’s code. Since GTM is a widely used tool, uploading code from googletagmanager.com seems completely normal and raises no red flags.
Since Stripe is an online payment processing platform that allows businesses to process financial transactions over the Internet, there is no crime yet. But GTM actually recovers a Stripe client record controlled by the attackers, inside of which are fragments of malicious JavaScript. The website downloads those pieces, reassembles them into a working script, and then runs them in the browser, turning Stripe into a storage locker for malware code.
Once the script runs, it starts “watching” the payment page, so when the victim enters their card details, the script copies everything including card number, CVV, name, address and other relevant details.
Then, instead of sending the data to the attackers immediately, the malware first combines all the stolen information into a single string, applies XOR obfuscation, and stores the result locally in the browser. The malware then creates a fake Stripe client, splits the stolen data into two parts, creates a new Stripe client object in the attacker’s Stripe account, and uploads the stolen information.
“Both the payload and stolen cards move through api.stripe.com. Stores allow that domain by default, so the skimmer bypasses Content Security Policy rules and network filters that would otherwise point traffic to an unknown skimmer domain,” Sansec explained.
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds.
