Credit Card Theft Campaign Abuses Stripe to Host Stolen Payment Info

Magecart groups have increasingly weaponized trusted third‑party services to slip past defenses, and this latest campaign illustrates that trend. By embedding malicious JavaScript in Google Tag Manager containers, attackers exploit a platform that e‑commerce sites already trust for analytics and marketing. The GTM payload runs on every page load, silently calling Stripe’s API—an endpoint most merchants whitelist—so traditional Content Security Policy rules and network filters fail to flag the activity. This supply‑chain style intrusion demonstrates how reliance on SaaS tools can become a double‑edged sword.

The technical sophistication of the operation lies in its use of Stripe’s customer‑metadata fields as a covert storage layer. Once a shopper reaches checkout, the skimmer captures card number, expiration, CVV, name, billing address and contact details, obfuscates the data with XOR, and creates a fake Stripe customer record (e.g., cus_TfFjAAZQNOYENR) to house the payload. A separate routine retrieves and uploads the data every minute, then wipes local traces. A parallel variant swaps Stripe for Google Firestore, naming the document and project to blend with legitimate payment‑processing traffic. Both approaches sidestep detection because they communicate with domains that merchants already trust.

For businesses, the breach signals a pressing need to audit and restrict third‑party script access. Enforcing least‑privilege policies in GTM, implementing strict sub‑resource integrity checks, and monitoring anomalous API calls to payment processors can curb such abuse. Consumers can add a layer of protection by adopting one‑time virtual cards with spend limits, reducing the value of any stolen credentials. As regulators scrutinize data‑privacy practices, firms that proactively harden their supply‑chain scripts will not only safeguard revenue but also preserve brand trust in an increasingly hostile cyber landscape.