Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

10/17/2019
03:30 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
100%
0%

Phishing Campaign Targets Stripe Credentials, Financial Data

Attackers make use of an old trick and evade detection by blocking users from viewing an embedded link when hovering over the URL.

Researchers have spotted a new phishing campaign targeting credentials and financial data of people using the Stripe payments platform. Emails are disguised as alerts from Stripe support.

Stripe enables e-commerce, facilitates payments, and helps run businesses with its software-as-a-service platform. Online companies use Stripe to receive payments, manage workflows, and update payment card data, among other things. Its millions of global customers include major brands, among them Amazon, Google, Salesforce, Microsoft, Shopify, Spotify, Nasdaq, and National Geographic.

Now attackers are trying to gain access to credentials for Stripe's platform and the billions of dollars it handles each year. This access could enable the adversaries to steal payment card data and defraud customers, report researchers with the Cofense Phishing Defense Center today.

Emails in the campaign pretend to be notifications from "Stripe Support," telling the account admin the "details associated with account are invalid." The admin must take immediate action or the account will be placed on hold, the attacker warns. The idea is to cause fear or panic among businesses that heavily rely on their online transactions and payments to keep running.

These emails include a "Review your details" button with an embedded hyperlink. A common security practice is to hover the mouse over a hyperlink to see its destination. The attackers behind the campaign blocked this by adding a title to the HTML's <a> tag. Instead of displaying the URL when a mouse hovers over it, the button simply shows "Review your details" in text.

"When rendered in the email client, instead of seeing the underlying link of that button, you just see the title that pops up," says Cofense CTO Aaron Higbee. "In this case, the user wouldn't have been able to see where the misleading domain went." It's a common evasion technique.

When clicked, this button redirects targets to a phishing page disguised to imitate Stripe's customer login page. This part of the attack includes three separate pages: One collects the admin's email address and password, the second requests the bank account number and phone number, and the third redirects the admin back to the initial Stripe login page with a "Wrong Password" error so they don't suspect anything.  

Another interesting factor in this attack was the credential compromised, Higbee says. The attackers were able to obtain the login details for a press[@]company[.]org email address, which also granted them access to the victim company's MailChimp account. This is the platform they ultimately used to launch the phishing campaign, he explains. As a result, the phishing emails appear to originate from the email address of a compromised organization.

"This is saying to me the attackers are looking for ways to make sure their phishing emails are successfully delivered," Higbee continues. Most people have MailChimp whitelisted, and many companies use it for things like password resets.

Red Flags
While the attackers were savvy with HTML, their writing skills could use some work. Misspelled words ("Dear Costumer") and obvious grammatical mistakes could tip off any user to suspicious activity, Higbee says. Employees who suspect foul play should approach emails with caution.

What's more, these emails didn't originate from a "stripe.com" email address, he continues. Even though the display name said Stripe Support, recipients of these emails should also check for a Stripe domain name in the sender's email address. Higbee also warns people to be wary of emails seemingly intended to provoke fear or urgency, which many attackers prey on.

He suspects this type of attack will continue, especially against users of the payment platform.

"If there is a way for an attacker to automatically discern whether a company uses Stripe, I'd guess this type of attack would be on the rise," Higbee says. "There's money at the end of that."

Related Content:

This free, all-day online conference offers a look at the latest tools, strategies, and best practices for protecting your organization’s most sensitive data. Click for more information and, to register, here.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Commentary
How SolarWinds Busted Up Our Assumptions About Code Signing
Dr. Jethro Beekman, Technical Director,  3/3/2021
News
'ObliqueRAT' Now Hides Behind Images on Compromised Websites
Jai Vijayan, Contributing Writer,  3/2/2021
News
Attackers Turn Struggling Software Projects Into Trojan Horses
Robert Lemos, Contributing Writer,  2/26/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: George has not accepted that the technology age has come to an end.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-26814
PUBLISHED: 2021-03-06
Wazuh API in Wazuh from 4.0.0 to 4.0.3 allows authenticated users to execute arbitrary code with administrative privileges via /manager/files URI. An authenticated user to the service may exploit incomplete input validation on the /manager/files API to inject arbitrary code within the API service sc...
CVE-2021-27581
PUBLISHED: 2021-03-05
The Blog module in Kentico CMS 5.5 R2 build 5.5.3996 allows SQL injection via the tagname parameter.
CVE-2021-28042
PUBLISHED: 2021-03-05
Deutsche Post Mailoptimizer 4.3 before 2020-11-09 allows Directory Traversal via a crafted ZIP archive to the Upload feature or the MO Connect component. This can lead to remote code execution.
CVE-2021-28041
PUBLISHED: 2021-03-05
ssh-agent in OpenSSH before 8.5 has a double free that may be relevant in a few less-common scenarios, such as unconstrained agent-socket access on a legacy operating system, or the forwarding of an agent to an attacker-controlled host.
CVE-2021-3377
PUBLISHED: 2021-03-05
The npm package ansi_up converts ANSI escape codes into HTML. In ansi_up v4, ANSI escape codes can be used to create HTML hyperlinks. Due to insufficient URL sanitization, this feature is affected by a cross-site scripting (XSS) vulnerability. This issue is fixed in v5.0.0.