Stripe API abused in web skimming attack

Cybercriminals exploit Stripe API in new web skimming campaign

Cybercriminals have developed a new method for stealing payment data by targeting the popular Stripe payment API. In a campaign uncovered by cybersecurity researchers at Jscrambler, attackers have abused legacy functionality in the Stripe API to carry out web skimming attacks. This tactic has compromised online stores and allowed threat actors to collect sensitive credit card information.

A new technique for an old threat

Web skimming, also known as Magecart attacks, typically involves injecting malicious JavaScript into e-commerce websites. This script captures customer payment information during the checkout process. While the method itself is well-known, this campaign adds a layer of sophistication by integrating Stripe’s API into the attack chain.

Importantly, the attackers did not compromise Stripe directly. Instead, they took advantage of publicly accessible endpoints in Stripe’s legacy API to validate stolen credit card details. By doing so, the attackers were able to disguise their activity as legitimate traffic, making the campaign harder to detect.

How the campaign works

The attack begins with the injection of a JavaScript skimmer into a vulnerable e-commerce site. When a customer enters their payment details, the script captures the data and sends it to a server controlled by the attackers.

What makes this campaign more advanced is that the stolen credit card data is then validated in real-time through the Stripe API. This step allows attackers to confirm that the card is active and can be used, reducing the time between theft and financial exploitation.

Risks for online retailers

This campaign highlights a critical risk for businesses operating online stores. Even when using secure payment processors like Stripe, a website can still be compromised if it lacks client-side security measures.

The attackers leveraged Stripe’s API without breaching its infrastructure. This underscores the importance of protecting the front-end environment, where scripts run and sensitive data is entered by users.

According to Jscrambler, real-time monitoring of client-side activity is essential. Without it, malicious scripts can go unnoticed, even on websites that appear secure from the outside.

What businesses can do

Retailers should ensure that they are using the latest version of Stripe’s API and that any deprecated endpoints are disabled. Additional client-side security measures such as Content Security Policy (CSP), Subresource Integrity (SRI), and JavaScript runtime protection can help detect and block skimming attempts.

Stripe has also encouraged developers to move away from older API versions, as newer implementations offer enhanced security and validation features.

The growing threat of client-side attacks

This campaign is part of a broader trend where attackers increasingly focus on the front-end of web applications. As backend systems become more secure, the client-side has become an attractive target due to its exposure and lack of visibility.

While this specific campaign involves abuse of payment APIs, attackers are also exploring other creative ways to exploit user-facing systems and trusted platforms. In one case, Russian hackers from the Star Blizzard group used QR codes in phishing emails to trick users into scanning malicious links – a tactic known as quishing. In another, cybercriminals abused the Zendesk platform to send brand impersonation messages, taking advantage of the trust users place in legitimate services.

These examples highlight a common theme: attackers are shifting their focus to the points where users interact directly with technology. This incident is a reminder that secure payment technology is not enough on its own. Businesses must also secure the environments where users input data and make decisions – because that’s where attackers are increasingly gaining access.