← Back to Daily Briefing

A sophisticated Magecart campaign is utilizing a "Living off Trusted Sites" (LoTS) strategy to steal credit card data by abusing the Stripe API. Attackers use Google Tag Manager (GTM) to deploy a loader on checkout pages, which subsequently fetches a malicious JavaScript skimmer hosted within Stripe's customer metadata fields. By leveraging stripe.com as both the Command and Control (C2) server for payload delivery and the exfiltration sink, the threat actors effectively neutralize Content Security Policies (CSP) and domain-based filters that implicitly trust Stripe and Google domains. This approach highlights a critical vulnerability in trust-based security architectures where reputable API domains are automatically whitelisted.

  • Incident Overview: LoTS Strategy

    • Employment of "Living off Trusted Sites" (LoTS) to evade detection by traditional security tools.
    • Targeting of e-commerce checkout pages utilizing both Stripe and Google Tag Manager (GTM).
    • Focus on bypassing browser-level security controls through the abuse of highly trusted third-party domains.
  • Attack Vector: Delivery and Execution

    • Initial delivery achieved via GTM injection of a loader script into the victim's checkout page.
    • The loader fetches the primary JavaScript skimmer from legitimate Stripe API endpoints.
    • Malicious payloads are hidden within Stripe customer metadata fields to avoid signature-based detection.
  • C2 Infrastructure: Stripe API Abuse

    • The Stripe API is repurposed as the primary C2 server for delivering arbitrary malicious code.
    • Exfiltrated payment credentials are routed back to Stripe domains, mimicking legitimate API traffic.
    • Implicit trust in stripe.com allows C2 communication to bypass most domain-based whitelists.
  • Evasion Tactics & Security Impact

    • Effectively neutralizes Content Security Policies (CSP) that whitelist broad Stripe API endpoints.
    • Bypasses security monitors that ignore traffic flowing to reputable cloud service providers.
    • Exposes a critical blind spot in security models that rely on domain reputation rather than granular path validation.
  • Defensive Actions & Mitigation

    • Implementation of strict, granular CSPs that restrict specific API paths instead of whitelisting entire domains.
    • Rigorous auditing and monitoring of GTM containers to detect unauthorized script modifications.
    • Deployment of Subresource Integrity (SRI) hashes to ensure the authenticity of loaded scripts.

Related posts

  1. bleepingcomputer.com — Charter confirms data breach after ShinyHunters extortion threat
  2. bleepingcomputer.com — Charter Communications data breach affects 4.9 million accounts
  3. securityweek.com — Charter Communications Data Breach Could Impact Nearly 5 Million
  4. Safestate
  5. Techrepublic
  6. Haveibeenpwned
  7. Esecurityplanet
  8. Cybernews
  9. feeds.feedburner.com — Dashlane Discloses Brute-Force Attack, Encrypted Vaults of Fewer Than 20 Users Downloaded
  10. Reddit
  11. Forbes
  12. bleepingcomputer.com — DentaQuest data breach exposed info of 2.6 million accounts
  13. Research
  14. Paubox
  15. Wfmd
  16. Identityweek
  17. helpnetsecurity.com — Attackers obtained encrypted password vaults from some Dashlane user accounts
  18. SC Media — Magecart campaign exploits Stripe API for credit card theft
  19. Thehackernews
  20. Sansec
  21. Reddit
  22. Cybersecurity News — New Magecart Attack Turns Stripe into a Malware Command Server
  23. Securityaffairs
  24. Breachsense
  25. Potterhandy
  26. Cfc
  27. Reddit
  28. Scott-scott
  29. Signon
  30. Ransomware
  31. Privacyinsightsolutions
  32. Dexpose
  33. Ransomlook
  34. Hipaajournal
  35. Morningstar
  36. Prnewswire
  37. Techrepublic
  38. Haveibeenpwned
  39. Teiss
  40. Medixdental
  41. Claimdepot
  42. Drbicuspid
  43. Rescana
  44. Security Affairs — DentaQuest Breach: ShinyHunters Publish Data Impacting 2.6M People
  45. Reddit
  46. Dexpose
  47. Haveibeenpwned
  48. Au
  49. Secure
  50. Uk
  51. Socradar

LINK COPIED TO CLIPBOARD