Researchers have spotted a new phishing campaign targeting credentials and financial data of people using the Stripe payments platform. Emails are disguised as alerts from Stripe support.
Stripe enables e-commerce, facilitates payments, and helps run businesses with its software-as-a-service platform. Online companies use Stripe to receive payments, manage workflows, and update payment card data, among other things. Its millions of global customers include major brands, among them Amazon, Google, Salesforce, Microsoft, Shopify, Spotify, Nasdaq, and National Geographic.
Now attackers are trying to gain access to credentials for Stripe's platform and the billions of dollars it handles each year. This access could enable the adversaries to steal payment card data and defraud customers, report researchers with the Cofense Phishing Defense Center today.
Emails in the campaign pretend to be notifications from "Stripe Support," telling the account admin the "details associated with account are invalid." The admin must take immediate action or the account will be placed on hold, the attacker warns. The idea is to cause fear or panic among businesses that heavily rely on their online transactions and payments to keep running.
These emails include a "Review your details" button with an embedded hyperlink. A common security practice is to hover the mouse over a hyperlink to see its destination. The attackers behind the campaign blocked this by adding a title to the HTML's <a> tag. Instead of displaying the URL when a mouse hovers over it, the button simply shows "Review your details" in text.
"When rendered in the email client, instead of seeing the underlying link of that button, you just see the title that pops up," says Cofense CTO Aaron Higbee. "In this case, the user wouldn't have been able to see where the misleading domain went." It's a common evasion technique.
When clicked, this button redirects targets to a phishing page disguised to imitate Stripe's customer login page. This part of the attack includes three separate pages: One collects the admin's email address and password, the second requests the bank account number and phone number, and the third redirects the admin back to the initial Stripe login page with a "Wrong Password" error so they don't suspect anything.
Another interesting factor in this attack was the credential compromised, Higbee says. The attackers were able to obtain the login details for a press[@]company[.]org email address, which also granted them access to the victim company's MailChimp account. This is the platform they ultimately used to launch the phishing campaign, he explains. As a result, the phishing emails appear to originate from the email address of a compromised organization.
"This is saying to me the attackers are looking for ways to make sure their phishing emails are successfully delivered," Higbee continues. Most people have MailChimp whitelisted, and many companies use it for things like password resets.
While the attackers were savvy with HTML, their writing skills could use some work. Misspelled words ("Dear Costumer") and obvious grammatical mistakes could tip off any user to suspicious activity, Higbee says. Employees who suspect foul play should approach emails with caution.
What's more, these emails didn't originate from a "stripe.com" email address, he continues. Even though the display name said Stripe Support, recipients of these emails should also check for a Stripe domain name in the sender's email address. Higbee also warns people to be wary of emails seemingly intended to provoke fear or urgency, which many attackers prey on.
He suspects this type of attack will continue, especially against users of the payment platform.
"If there is a way for an attacker to automatically discern whether a company uses Stripe, I'd guess this type of attack would be on the rise," Higbee says. "There's money at the end of that."