Phishing Campaign Targets Stripe Credentials, Financial Data

  /     /     /  
Publicated : 23/11/2024   Category : security


Phishing Campaign Targets Stripe Credentials, Financial Data


Attackers make use of an old trick and evade detection by blocking users from viewing an embedded link when hovering over the URL.



Researchers have spotted a new phishing campaign targeting credentials and financial data of people using the Stripe payments platform. Emails are disguised as alerts from Stripe support.
Stripe enables e-commerce, facilitates payments, and helps run businesses with its software-as-a-service platform. Online companies use Stripe to receive payments, manage workflows, and update payment card data, among other things. Its millions of global customers include major brands, among them Amazon, Google, Salesforce, Microsoft, Shopify, Spotify, Nasdaq, and National Geographic.
Now attackers are trying to gain access to credentials for Stripes platform and the billions of dollars it handles each year. This access could enable the adversaries to steal payment card data and defraud customers, report researchers with the Cofense Phishing Defense Center today.
Emails in the campaign pretend to be notifications from Stripe Support, telling the account admin the details associated with account are invalid. The admin must take immediate action or the account will be placed on hold, the attacker warns. The idea is to cause fear or panic among businesses that heavily rely on their online transactions and payments to keep running.
These emails include a Review your details button with an embedded hyperlink. A common security practice is to hover the mouse over a hyperlink to see its destination. The attackers behind the campaign blocked this by adding a title to the HTMLs tag. Instead of displaying the URL when a mouse hovers over it, the button simply shows Review your details in text.
When rendered in the email client, instead of seeing the underlying link of that button, you just see the title that pops up, says Cofense CTO Aaron Higbee. In this case, the user wouldnt have been able to see where the misleading domain went. Its a common evasion technique.
{image 1}
When clicked, this button redirects targets to a phishing page disguised to imitate Stripes customer login page. This part of the attack includes three separate pages: One collects the admins email address and password, the second requests the bank account number and phone number, and the third redirects the admin back to the initial Stripe login page with a Wrong Password error so they dont suspect anything.  
Another interesting factor in
this attack
was the credential compromised, Higbee says. The attackers were able to obtain the login details for a press[@]company[.]org email address, which also granted them access to the victim companys MailChimp account. This is the platform they ultimately used to launch the phishing campaign, he explains. As a result, the phishing emails appear to originate from the email address of a compromised organization.
This is saying to me the attackers are looking for ways to make sure their phishing emails are successfully delivered, Higbee continues. Most people have MailChimp whitelisted, and many companies use it for things like password resets.
Red Flags
While the attackers were savvy with HTML, their writing skills could use some work. Misspelled words (Dear Costumer) and obvious grammatical mistakes could tip off any user to suspicious activity, Higbee says. Employees who suspect foul play should approach emails with caution.
Whats more, these emails didnt originate from a stripe.com email address, he continues. Even though the display name said Stripe Support, recipients of these emails should also check for a Stripe domain name in the senders email address. Higbee also warns people to be wary of emails seemingly intended to provoke fear or urgency, which many attackers prey on.
He suspects this type of attack will continue, especially against users of the payment platform.
If there is a way for an attacker to automatically discern whether a company uses Stripe, Id guess this type of attack would be on the rise, Higbee says. Theres money at the end of that.
Related Content:
8 Ways Businesses Unknowingly Help Hackers
Typosquatting Websites Proliferate in Run-up to US Elections
How to Build a Rock-Solid Cybersecurity Culture
Sodinokibi Ransomware: Where Attackers Money Goes
This free, all-day online conference offers a look at the latest tools, strategies, and best practices for protecting your organization’s most sensitive data. Click for 
more information
 and, to register, 
here
.

Last News

▸ IoT Devices on Average Have 25 Vulnerabilities ◂
Discovered: 23/12/2024
Category: security

▸ DHS-funded SWAMP scans code for bugs. ◂
Discovered: 23/12/2024
Category: security

▸ Debunking Machine Learning in Security. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Phishing Campaign Targets Stripe Credentials, Financial Data