- Key Cybersecurity Considerations for 2025
- Stock your Kindle for summer: Get up to 93% off popular reads during Amazon's Book Sale
- I replaced my TV with a 4K UST projector - and the visual upgrade was worth it
- This Amazon Fire TV soundbar gave me room-filling audio without breaking the bank
- I found a Garmin smartwatch that's ideal for those who don't like the rugged design
Stripe API Skimming Campaign Unveils New Techniques for Theft
A new skimming attack leveraging the Stripe API to steal payment information has been uncovered by cybersecurity researchers at Jscrambler.
The attack, which injects a malicious script into e-commerce checkout pages, operates by intercepting and exfiltrating customer payment details in real-time.
Unlike traditional skimmers, which often insert rogue payment forms, this campaign exploits the legitimate Stripe API to siphon off data.
According to a new advisory published by Jscrambler today, the attackers inject JavaScript directly into checkout pages, allowing them to capture credit card details before they reach Stripe’s secure processing system.
The malware effectively mimics legitimate functions, making detection challenging. It waits for customers to input payment details, then silently transmits the stolen data to attacker-controlled domains.
This attack primarily affects online merchants using Stripe for payment processing. However, since businesses of all sizes have widely adopted Stripe, the potential exposure is significant.
“While the initial report did not disclose the number of compromised merchants, Jscrambler’s research team conducted an independent investigation and identified 49 merchants affected by this campaign so far,” the company said.
“This number is likely an underestimation, as new victims continue to be discovered.”
Jscrambler added that any e-commerce site relying on third-party scripts could be vulnerable, if proper security measures are not in place.
Read more on similar attacks: New PhishWP Plugin Enables Sophisticated Payment Page Scams
The researchers identified several red flags that can help businesses detect this attack:
- Unexpected modifications in JavaScript files
- Unusual network requests to unknown domains
- Changes in Stripe’s API calls that redirect data
To mitigate web skimming risks, merchants and payment service providers should also implement real-time webpage monitoring to detect unauthorized scripts, and use secure iFrame solutions to prevent hijacking and ensure compliance with PCI DSS 4.0.1 requirements.
“Given that small merchants often lack the expertise or resources to fully implement PCI DSS 4.0’s stringent requirements,” Jscrambler said, “automated solutions provide an essential layer of protection.”
Image credit: T. Schneider / Shutterstock.com
