- Attackers abuse Stripe API via Google Tag Manager
- Malware skims checkout data from compromised Magento sites
- Stolen card details exfiltrated through api.stripe.com
Cybercriminals have turned Stripe into a malware hosting platform, in a new attack that steals people’s payment information from online shoppers. This is according to cybersecurity researchers Sansec, who discovered the campaign earlier this week.
Sansec says that the attackers managed to compromise certain Magento/Adobe Commerce store websites, and add a malicious Google Tag Manager (GTM) container.
However, when a shopper visits the website, the browser loads the GTM container from Google’s servers, and when they reach checkout, the GTM code makes a request to Stripe’s API.
Stealing the information
GTM is a free tool that lets website owners manage tracking, analytics, and other scripts on a website without directly modifying the site’s code. Since GTM is a widely used tool, loading code from googletagmanager.com looks completely normal and raises no red flags.
Since Stripe is an online payment processing platform that enables businesses to process financial transactions over the internet, there is still no foul play. But GTM actually retrieves a Stripe customer record controlled by the attackers, inside which are pieces of malicious JavaScript. The website downloads those pieces, reassembles them into a working script, then runs them in the browser, turning Stripe into a storage locker for malware code.
Once that script is running, it starts “watching” the checkout page, so when the victim types in their card details, the script copies everything, including the card number, CVV, name, address, and other relevant details.
Then, instead of sending the data to the attackers immediately, the malware first combines all stolen information into one string, applies XOR obfuscation, and stores the result locally in the browser. Then the malware creates a fake Stripe customer, splits the stolen data into two chunks, creates a new Stripe customer object in the attacker’s stripe account, and uploads the stolen information.
“Both the payload and the stolen cards move through api.stripe.com. Stores allow that domain by default, so the skimmer slips past Content Security Policy rules and network filters that would otherwise flag traffic to an unknown skimmer domain,” Sansec explained.
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds.
https://cdn.mos.cms.futurecdn.net/MduN7MRK2ES7Ue24joFtbT-2059-80.jpg
Source link
