A sophisticated Magecart campaign is utilizing a "Living off Trusted Sites" (LoTS) strategy to steal credit card data by abusing the Stripe API. Attackers use Google Tag Manager (GTM) to deploy a loader on checkout pages, which subsequently fetches a malicious JavaScript skimmer hosted within Stripe's customer metadata fields. By leveraging stripe.com as both the Command and Control (C2) server for payload delivery and the exfiltration sink, the threat actors effectively neutralize Content Security Policies (CSP) and domain-based filters that implicitly trust Stripe and Google domains. This approach highlights a critical vulnerability in trust-based security architectures where reputable API domains are automatically whitelisted.
-
Incident Overview: LoTS Strategy
- Employment of "Living off Trusted Sites" (LoTS) to evade detection by traditional security tools.
- Targeting of e-commerce checkout pages utilizing both Stripe and Google Tag Manager (GTM).
- Focus on bypassing browser-level security controls through the abuse of highly trusted third-party domains.
-
Attack Vector: Delivery and Execution
- Initial delivery achieved via GTM injection of a loader script into the victim's checkout page.
- The loader fetches the primary JavaScript skimmer from legitimate Stripe API endpoints.
- Malicious payloads are hidden within Stripe customer metadata fields to avoid signature-based detection.
-
C2 Infrastructure: Stripe API Abuse
- The Stripe API is repurposed as the primary C2 server for delivering arbitrary malicious code.
- Exfiltrated payment credentials are routed back to Stripe domains, mimicking legitimate API traffic.
- Implicit trust in
stripe.comallows C2 communication to bypass most domain-based whitelists.
-
Evasion Tactics & Security Impact
- Effectively neutralizes Content Security Policies (CSP) that whitelist broad Stripe API endpoints.
- Bypasses security monitors that ignore traffic flowing to reputable cloud service providers.
- Exposes a critical blind spot in security models that rely on domain reputation rather than granular path validation.
-
Defensive Actions & Mitigation
- Implementation of strict, granular CSPs that restrict specific API paths instead of whitelisting entire domains.
- Rigorous auditing and monitoring of GTM containers to detect unauthorized script modifications.
- Deployment of Subresource Integrity (SRI) hashes to ensure the authenticity of loaded scripts.
Related posts
- bleepingcomputer.com — Charter confirms data breach after ShinyHunters extortion threat
- bleepingcomputer.com — Charter Communications data breach affects 4.9 million accounts
- securityweek.com — Charter Communications Data Breach Could Impact Nearly 5 Million
- Safestate
- Techrepublic
- Haveibeenpwned
- Esecurityplanet
- Cybernews
- feeds.feedburner.com — Dashlane Discloses Brute-Force Attack, Encrypted Vaults of Fewer Than 20 Users Downloaded
- Forbes
- bleepingcomputer.com — DentaQuest data breach exposed info of 2.6 million accounts
- Research
- Paubox
- Wfmd
- Identityweek
- helpnetsecurity.com — Attackers obtained encrypted password vaults from some Dashlane user accounts
- SC Media — Magecart campaign exploits Stripe API for credit card theft
- Thehackernews
- Sansec
- Cybersecurity News — New Magecart Attack Turns Stripe into a Malware Command Server
- Securityaffairs
- Breachsense
- Potterhandy
- Cfc
- Scott-scott
- Signon
- Ransomware
- Privacyinsightsolutions
- Dexpose
- Ransomlook
- Hipaajournal
- Morningstar
- Prnewswire
- Techrepublic
- Haveibeenpwned
- Teiss
- Medixdental
- Claimdepot
- Drbicuspid
- Rescana
- Security Affairs — DentaQuest Breach: ShinyHunters Publish Data Impacting 2.6M People
- Dexpose
- Haveibeenpwned
- Au
- Secure
- Uk
- Socradar