Magecart Campaign Leverages Stripe API for Payload Delivery and Exfiltration
A sophisticated Magecart campaign is utilizing a "Living off Trusted Sites" (LoTS) strategy to steal credit card data by abusing the Stripe API. Attackers use Google Tag Manager (GTM) to deploy a loader on checkout pages, which subsequently fetches a malicious JavaScript skimmer hosted within Stripe's customer metadata fields. By leveraging stripe.com as both the Command and Control (C2) server for payload delivery and the exfiltration sink, the threat actors effectively neutralize Content Security Policies (CSP) and domain-based filters that implicitly trust Stripe and Google domains. This approach highlights a critical vulnerability in trust-based security architectures where reputable API domains are automatically whitelisted.