Skip to main content

New threat: Abuse of Stripe's deprecated API - March 4, 2025

  • Updated

SOURCE DEFENSE RESEARCH INTELLIGENCE NEWS 

March 4, 2025

Welcome to the first edition of the Source Defense Research Intelligence News, where we share the latest attack findings from our research team—keeping you informed and protected against emerging threats.

 

 

NEW THREAT: ABUSE OF STRIPE'S DEPRECATED API

 

Sophisticated campaign conceals skimming from cybercrime researchers


At Source Defense, we have uncovered a novel payment card skimming campaign with an alarming level of sophistication, making detection highly challenging.

 

The attack exploits Stripe’s deprecated API to verify card details before exfiltration, ensuring only valid payment information is harvested while maintaining a seamless customer experience.

 

Even more concerning, attackers are using this as a "firewall" against cybercrime researchers. When researchers attempt to detect attacks using test credit cards—a common practice—the malicious code first submits them to the Stripe API for validation. Since test cards are always rejected, the attack never triggers exfiltration, allowing it to evade detection entirely.

 

For full attack details, read our blog: https://sourcedefense.com/resources/blog/sophisticated-eskimming-campaign-conceals-itself-by-leveraging-stripe-api/

 

How does Source Defense protect you from such attacks?

 

Our dedicated research team continuously identifies emerging attack techniques, ensuring our engine effectively detects, alerts, and protects against such threats.

 

Rest assured, none of our customers have been targeted by this attack to date. If the malicious script is loaded onto your site, it will automatically receive the block policy.

 

Additionally, our professional services team will proactively reach out to inform you of the potential threat. This is particularly critical for our customers using our Detect product; as they will need to block the script manually.


Note our unique auto-policy feature is made possible by years of experience in analyzing and identifying malicious scripts.

 

How will you be alerted?

 

In addition to the protection described above and proactive outreach from our professional services team, if this attack were active on your website, you would receive alerts for:

  • New script identified - an unidentified/suspicious script
  • New behaviors identified:
    ○ Accessing PCI data
    ○ Accessing PII data
    ○ Loading script from blacklisted domain
    ○ Sending data to blacklisted domain
    ○ Data transfer - To Stripe domain(!) 

These alerts would be prominently displayed in:

  • The bell notification center 
  • The dashboard summary - marked in red
  • The 'Found in blacklists' and 'Script behaviors' widgets with suspicious activity, both highlighted in red

It’s important to note that these flagged domains may not yet be recognized by external blacklist providers—but they are proactively identified and classified as blacklisted within our system.

 

See the screenshots below to understand how this information is displayed when this script is detected on a website.

 

For any further clarification, reach out to support@sourcedefense.com.

 

 

Any questions? Contact us at: support@sourcedefense.com

For the latest cyber research news, follow us at https://x.com/sdcyberresearch