Stripe iframe skimmer campaign targets payment processors
Summary
Hide β²
Show βΌ
A sophisticated skimmer campaign targeting Stripe iframes has compromised 49 merchants since August 2024. Attackers use malicious overlays to bypass iframe security and steal credit card data. The campaign exploits vulnerabilities in the host pages to inject malicious JavaScript, replacing legitimate iframes with pixel-perfect replicas. The attack leverages deprecated Stripe APIs for real-time card validation, making the theft undetectable to customers. This campaign highlights the growing threat of iframe exploitation, with 18% of websites running tools like Google Tag Manager within payment iframes, creating significant security risks. The campaign underscores the need for active monitoring and robust security measures to protect payment iframes, as traditional defenses like CSP and X-Frame-Options are insufficient.
Timeline
-
24.09.2025 14:03 π° 1 articles Β· β± 4h ago
Stripe iframe skimmer campaign compromises 49 merchants
Since August 2024, a sophisticated skimmer campaign has targeted Stripe iframes, compromising 49 merchants. Attackers use malicious overlays to bypass iframe security and steal credit card data. The campaign exploits vulnerabilities in the host pages to inject malicious JavaScript, replacing legitimate iframes with pixel-perfect replicas. The attack leverages a deprecated Stripe API for real-time card validation, making the theft undetectable to customers. This campaign highlights the growing threat of iframe exploitation, with 18% of websites running tools like Google Tag Manager within payment iframes, creating significant security risks.
Show sources
- iframe Security Exposed: The Blind Spot Fueling Payment Skimmer Attacks β thehackernews.com β 24.09.2025 14:03
Information Snippets
-
The Stripe iframe skimmer campaign began in August 2024 and has compromised 49 merchants.
First reported: 24.09.2025 14:03π° 1 source, 1 articleShow sources
- iframe Security Exposed: The Blind Spot Fueling Payment Skimmer Attacks β thehackernews.com β 24.09.2025 14:03
-
Attackers use malicious overlays to replace legitimate Stripe iframes with pixel-perfect replicas.
First reported: 24.09.2025 14:03π° 1 source, 1 articleShow sources
- iframe Security Exposed: The Blind Spot Fueling Payment Skimmer Attacks β thehackernews.com β 24.09.2025 14:03
-
The campaign utilizes a deprecated Stripe API for real-time card validation, making the theft undetectable.
First reported: 24.09.2025 14:03π° 1 source, 1 articleShow sources
- iframe Security Exposed: The Blind Spot Fueling Payment Skimmer Attacks β thehackernews.com β 24.09.2025 14:03
-
18% of websites run tools like Google Tag Manager within payment iframes, creating security blind spots.
First reported: 24.09.2025 14:03π° 1 source, 1 articleShow sources
- iframe Security Exposed: The Blind Spot Fueling Payment Skimmer Attacks β thehackernews.com β 24.09.2025 14:03
-
Traditional defenses like CSP and X-Frame-Options are insufficient against modern iframe exploitation techniques.
First reported: 24.09.2025 14:03π° 1 source, 1 articleShow sources
- iframe Security Exposed: The Blind Spot Fueling Payment Skimmer Attacks β thehackernews.com β 24.09.2025 14:03
-
Modern attack vectors include overlays, postMessage spoofing, and CSS exfiltration.
First reported: 24.09.2025 14:03π° 1 source, 1 articleShow sources
- iframe Security Exposed: The Blind Spot Fueling Payment Skimmer Attacks β thehackernews.com β 24.09.2025 14:03
-
The PCI DSS 4.0.1 rules require merchants to secure the entire page hosting payment iframes.
First reported: 24.09.2025 14:03π° 1 source, 1 articleShow sources
- iframe Security Exposed: The Blind Spot Fueling Payment Skimmer Attacks β thehackernews.com β 24.09.2025 14:03
-
A six-step defense strategy focusing on real-time monitoring and CSP is recommended.
First reported: 24.09.2025 14:03π° 1 source, 1 articleShow sources
- iframe Security Exposed: The Blind Spot Fueling Payment Skimmer Attacks β thehackernews.com β 24.09.2025 14:03