THE TREND CONTINUES: STOLEN CREDIT CARDS ROUTED THROUGH TRUSTED VERCEL CLOUD APP
Source Defense Threat Research has identified a new Magecart variant leveraging a subdomain hosted on the legitimate Vercel platform – m-stripe.vercel.app – to collect and exfiltrate sensitive payment data.
This campaign demonstrates the continuation of the significant evolution in attacker tactics: the abuse of trusted cloud and CDN providers to host malicious skimmers and make detection and mitigation substantially harder.
While many of our customers – like most modern web developers – use services such as Vercel for their legitimate business needs, Source Defense’s system continues to protect them. Our platform monitors all 1st-party script behaviors in real time and reports each new subdomain these monitored scripts communicate with, ensuring visibility into malicious behaviors hidden within trusted infrastructures.
Source Defense immediately reported the abuse to Vercel upon discovery to support swift remediation and takedown efforts.
Attack details
The attack was identified on a UK-based merchant’s site, placed as an inline script and closely mimicking legitimate Stripe payment functionality by using functions like latepointPaymentsStripeAddon and Stripe field manipulation (cardNumber, cardExpiry, cardCvc).
The malicious code manipulates payment form elements, capturing sensitive user input. The skimmer collects digital fingerprints, including screen resolution, browser features, fonts, plugins, and hardware identifiers.
The stolen data was sent to an attacker-controlled drop server hosted on Vercel.
The Rising Risk of “Legit Service Abuse”
This campaign highlights a broader and increasingly common trend in modern web threats:
- Attackers register free or low-cost subdomains on legitimate services (like Vercel, GitHub Pages or Firebase).
- These hosts are trusted by enterprise networks, often bypassing allowlists and CSPs (Content Security Policies).
- The malicious code appears as 1st-party script, making traditional 3rd-party blocking approaches ineffective.
This means that security teams can no longer rely solely on domain reputation or static blocklists. Instead, behavioral monitoring and anomaly detection—especially for first-party scripts—are essential.
How Source Defense protects against such threats
Source Defense’s platform is uniquely designed to monitor both 3rd- and 1st-party scripts, identifying malicious behavior even when:
- The domain appears legitimate (e.g., *.vercel.app).
- The script is injected inline or loaded via trusted sources.
- Traditional script blocking cannot be safely applied.
Our solution provides:
- Behavioral monitoring of 1st-party scripts in real-time.
- Domain-level visibility, including new or unexpected subdomains the page communicates with.
Even for customers who also host content on platforms like Vercel, Source Defense continues to ensure full visibility and protection.
Key Takeaways
- Attackers now hide in plain sight—abusing trusted services as endpoints for data exfiltration.
- Static defenses are no longer enough; behavioral and contextual detection is critical.
- Source Defense remains effective against this class of attacks by continuously monitoring and analyzing all client-side behaviors.
- Visibility into new subdomains and communication channels ensures early detection before data theft occurs.
- Responsible disclosure matters—Source Defense acted immediately to alert Vercel and aid in the mitigation of this abuse.
Recommendations
- Review recent payment integrations and ensure all 1st-party scripts are monitored.
- Treat subdomains of trusted platforms (e.g., vercel.app, github.io) with the same scrutiny as unknown domains.
- Use Source Defense’s reporting and alerting to identify suspicious 1st-party behaviors or communications with newly observed endpoints
PCI DSS 4.0 makes client-side security a priority.
Source Defense delivers a solution for 6.4.3 and 11.6.1 without adding a burden to your security teams.