Threat hunters are warning of a sophisticated web skimmer campaign that leverages a legacy application programming interface (API) from payment processor Stripe to validate stolen payment information prior to exfiltration.
“This tactic ensures that only valid card data is sent to the attackers, making the operation more efficient and potentially harder to detect,” Jscrambler researchers Pedro Fortuna, David Alves, and Pedro Marrucho said in a report.
As many as 49 merchants are estimated to have been affected by the campaign to date. Fifteen of the compromised sites have taken action to remove the malicious script injections. The activity is assessed to be ongoing since at least August 20, 2024.
Details of the campaign were first flagged by security firm Source Defense towards the end of February 2025, detailing the web skimmer’s use of the “api.stripe[.]com/v1/sources” API, which allows applications to accept various payment methods. The endpoint has since been deprecated in favor of the new PaymentMethods API.
The attack chains employ malicious domains as the initial distribution point for the JavaScript skimmer that’s designed to intercept and hide the legitimate payment form on order checkout pages, serve a replica of the legitimate Stripe payment screen, validate it using the sources API, and then transmit it to a remote server in Base64-encoded format.
Jscrambler said the threat actors behind the operation are likely leveraging vulnerabilities and misconfigurations in WooCommerce, WordPress, and PrestaShop to implant the initial stage script. This loader script serves to decipher and launch a Base64-encoded next-stage, which, in turn, contains the URL pointing to the skimmer.
“The skimming script hides the legitimate Stripe iframe and overlays it with a malicious one designed to mimic its appearance,” the researchers said. “It also clones the ‘Place Order’ button, hiding the real one.”
Once the details are exfiltrated, users are displayed an error message, asking them to reload the pages. There is some evidence to suggest that the final skimmer payload is generated using some sort of tool owing to the fact that the script appears to be tailored to each targeted site.
The security company further noted that it uncovered skimmer scripts impersonating a Square payment form, suggesting that the threat actors are likely targeting several payment service providers. And that’s not all. The skimming code has also been observed adding other payment options using cryptocurrencies like Bitcoin, Ether (Ethereum), Tether, and Litecoin.
“This sophisticated web skimming campaign highlights the evolving tactics attackers use to remain undetected,” the researchers said. “And as a bonus, they effectively filter out invalid credit card data, ensuring that only valid credentials are stolen.”
