Hackers abused Stripe and Google Tag Manager to launch a credit card theft campaign and host stolen payment details

News
By published

Someone found a way to turn Stripe into a malware hosting platform

Hands holding a credit card and mobile phone
(Image credit: Getty Images)
  • Attackers abuse Stripe API via Google Tag Manager
  • Malware skims checkout data from compromised Magento sites
  • Stolen card details exfiltrated through api.stripe.com

Cybercriminals have turned Stripe into a malware hosting platform, in a new attack that steals people’s payment information from online shoppers. This is according to cybersecurity researchers Sansec, who discovered the campaign earlier this week.

Sansec says that the attackers managed to compromise certain Magento/Adobe Commerce store websites, and add a malicious Google Tag Manager (GTM) container.

However, when a shopper visits the website, the browser loads the GTM container from Google’s servers, and when they reach checkout, the GTM code makes a request to Stripe’s API.

Latest Videos From

Stealing the information

GTM is a free tool that lets website owners manage tracking, analytics, and other scripts on a website without directly modifying the site's code. Since GTM is a widely used tool, loading code from googletagmanager.com looks completely normal and raises no red flags.

Since Stripe is an online payment processing platform that enables businesses to process financial transactions over the internet, there is still no foul play. But GTM actually retrieves a Stripe customer record controlled by the attackers, inside which are pieces of malicious JavaScript. The website downloads those pieces, reassembles them into a working script, then runs them in the browser, turning Stripe into a storage locker for malware code.

Once that script is running, it starts “watching” the checkout page, so when the victim types in their card details, the script copies everything, including the card number, CVV, name, address, and other relevant details.

Then, instead of sending the data to the attackers immediately, the malware first combines all stolen information into one string, applies XOR obfuscation, and stores the result locally in the browser. Then the malware creates a fake Stripe customer, splits the stolen data into two chunks, creates a new Stripe customer object in the attacker’s stripe account, and uploads the stolen information.

"Both the payload and the stolen cards move through api.stripe.com. Stores allow that domain by default, so the skimmer slips past Content Security Policy rules and network filters that would otherwise flag traffic to an unknown skimmer domain," Sansec explained.

Best antivirus software header
The best antivirus for all budgets

➡️ Read our full guide to the best antivirus
1. Best overall:
Bitdefender Total Security
2. Best for families:
Norton 360 with LifeLock
3. Best for mobile:
McAfee Mobile Security

Google logo on a black background next to text reading 'Click to follow TechRadar'

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds.

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.