Cybersecurity researchers at Jscamblers have recently uncovered a highly sophisticated web-skimming campaign that is specifically targeting online retailers. This campaign, as discovered by the researchers, utilizes a legacy application programming interface (API) to validate stolen credit card details in real-time before sending them to malicious servers. By adopting this technique, the attackers are able to ensure that they are only collecting active and valid card numbers, ultimately increasing the efficiency and potential profitability of their illicit operations.
The Jscrambler analysis, which was shared with Hackread.com, revealed that this web-skimming operation has been ongoing since at least August 2024. The attack typically begins with the injection of malicious JavaScript code into the checkout pages of targeted websites, designed to mimic legitimate payment forms and capture customer payment information in real time. Subsequently, the code undergoes obfuscation through a base64-encoded string, effectively concealing crucial URLs from static security analyses, such as those conducted by Web Application Firewalls (WAFs).
The distinguishing feature of this campaign lies in its utilization of a deprecated version of the Stripe API, a renowned payment processing service, to verify the card’s validity before transmitting the data to the attackers’ servers. As part of the process, the legitimate Stripe iframe is concealed and replaced with a deceptive imitation, while the “Place Order” button is cloned to hide the original one. The entered payment data is validated using Stripe’s API, and if the card details are confirmed, they are promptly sent to a drop server controlled by the attackers. Following this, users are prompted to reload the page after encountering an error message.
Researchers have pointed out that the online retailers most affected by this campaign are those who use popular e-commerce platforms such as WooCommerce, WordPress, and PrestaShop. Furthermore, variations of the Silent Skimmer were also observed, albeit inconsistently. According to the findings, approximately 49 merchants were identified as being affected, with suspicions that this number might actually be higher. Additionally, two domains were recognized as being used for the attack’s second and third stages, along with 20 other domains on the same server. It was noted that 15 of the compromised sites had taken measures to address the issue.
Further investigation revealed that the skimmer scripts are dynamically generated and customized for each targeted website, indicating a significant level of sophistication and automated deployment. Researchers even employed a brute-forcing technique by manipulating the Referrer header to identify more victims of this malicious campaign.
In some instances, the skimmer impersonated a Square payment iframe, while in others, it injected payment options like cryptocurrency wallets, along with dynamically inserting fake MetaMask connection windows. Although the wallet addresses associated with these attempts showed minimal recent activity.
In their blog post, the researchers advised online merchants to implement real-time webpage monitoring solutions to detect unauthorized script injections. They also suggested that Third-Party Service Providers (TPSPs) could enhance security by adopting hardened iframe implementations to prevent iframe hijacking and form modifications.
“Jscrambler’s research team continues to track this campaign, and we urge all online merchants to prioritize security measures against client-side threats,” the researchers concluded.
The sophisticated nature of this web-skimming campaign highlights the evolving tactics employed by cybercriminals to exploit vulnerabilities in online retail systems. It underscores the importance of robust cybersecurity measures and heightened vigilance to safeguard sensitive customer data from malicious actors.