GoKawiilA new Magecart campaign is using Stripe's API infrastructure to host the credit card-stealing payload and the data exfiltrated from checkout pages.
The entire malicious activity relies on Google Tag Manager and Stripe domains - googletagmanager.com and api.stripe.com - that are trusted implicitly by online stores.
The new malware family was discovered by researchers at ecommerce security company Sansec, who found that the malicious code is loaded from a Google Tag Manager (GTM) container and executes on every page that loads it.
"Both the payload and the stolen cards move through api.stripe.com. Stores allow that domain by default, so the skimmer slips past Content Security Policy rules and network filters that would otherwise flag traffic to an unknown skimmer domain," Sansec says.
GTM is a management system that allows website owners to add and manage scripts used for analytics, ads, and tracking, without modifying the site's source code.
Stripe is a payment processing platform widely used by online stores to accept credit cards, manage customer orders, and handle billing.
According to Sansec, the malicious code is embedded in legitimate-looking GTM containers, which activate when a shopper reaches a checkout page, queuing Stripe's API for a specific customer record, cus_TfFjAAZQNOYENR, in this case
From the metadata fields of the record, it reads JavaScript code that it reassembles and then executes using new Function().
The card skimmer targets Magento/Adobe Commerce checkout pages and attempts to capture payment data (credit card number, expiration date, CVV code, customer name) as well as billing and email addresses, and phone number.
Card skimmer code
... continue reading