A recently uncovered web skimming scheme is elevating online fraud by leveraging an outdated Stripe API to verify stolen payment cards before delivering them to attackers. This savvy approach guarantees that only functional, valid cards reach cybercriminals, thereby enhancing the efficiency and profitability of their operations while also making them more difficult to combat and detect.
A Growing Threat to E-Commerce
Researchers believe that at least 49 online retailers have fallen prey to this attack, yet only 15 have acted to eliminate the harmful scripts. The skimmer campaign seems to have been active since August 20, 2024, surreptitiously pilfering credit card information while staying unnoticed.
How the Attack Works
In February 2025, security firm Source Defense detected this attack, showing that hackers are exploiting the “api. stripe[.]com/v1/sources” API. This legacy feature was previously utilized for processing multiple payment methods. Despite being officially succeeded by Stripe’s PaymentMethods API, the old endpoint continues to operate, permitting attackers to take advantage of it.
Here’s how the attack unfolds:
Infection Starts
Hackers embed harmful JavaScript skimmers into at-risk e-commerce sites, frequently exploiting security vulnerabilities in WooCommerce, WordPress, and PrestaShop.
Legitimate Payment Form Gets Hijacked
The skimmer conceals the genuine Stripe checkout form and displays a counterfeit version that appears identical.
Stolen Data is Validated
Rather than indiscriminately gathering payment information, attackers utilize Stripe’s outdated API to verify whether the stolen cards remain active active.
Filtered Data is Exfiltrated
Only valid card information is transmitted to a remote server using Base64 encoding, ensuring the attack is both discreet and effective.
Users Remain Unaware
After entering their payment information, shoppers encounter an error message that advises them to refresh the page, allowing hackers an opportunity to evade detection.
More Than Just Stripe—Other Payment Providers Targeted
Additional analysis indicates that the hackers are expanding their efforts beyond Stripe. Security researchers discovered skimmers mimicking Square’s payment platform, indicating a wider initiative aimed at various payment service providers.
Even more alarming, the attack extends beyond traditionalcredit cards—the skimming scripts have been altered to include cryptocurrency payment options such as Bitcoin, Ethereum, Tether, and Litecoin, which could enable attackers to funnel stolen funds into untraceable crypto wallets.
Why This Attack Is So Dangerous:
- Harder to Detect: By filtering out invalid cards, attackers lower the fraud alerts that could trigger scrutiny of their operations.
- Legacy APIs are a Blind Spot: Merchants may have updated their primary payment systems, but older APIs remain vulnerable to exploitation.
- Expanding Targets: Attackers are advancing past credit card skimming and seeking to profit from cryptocurrency transactions.
How Merchants Can Protect Themselves:
To protect against modern web skimmers’ threats, online retailers need to:
- Audit and remove legacy API integrations to eradicate security loopholes.
- Observe JavaScript operations on checkout pages to identify any unauthorized scripts.
- Implement content security policies (CSP) to restrict unauthorized code execution.
- Regularly update e-commerce platforms and plug-ins to address vulnerabilities before they can be exploited.
Staying Ahead of Cyber Threats: Essential Insights for Merchants
This campaign serves as a wake-up call for online merchants: Hackers are becoming more intelligent, and outdated APIs have become their new playground. Businesses that do not update their security strategies risk becoming silent victims of highly sophisticated payment fraud.
Merchants can proactively enhance security by securing checkout pages, monitoring JavaScript activity, and removing outdated APIs to stay ahead of evolving cyber threats before they occur.
