How the Skimmer Operates
A newly discovered Magecart campaign is using the trusted infrastructure of Stripe and Google Tag Manager to deploy credit card theft code on ecommerce sites. Security researchers at Sansec found that the malicious payload is loaded from a Google Tag Manager container, which activates when a shopper reaches a checkout page. The code then leverages Stripe’s API to both host the skimmer and store the stolen payment data.
The skimmer specifically targets Magento and Adobe Commerce checkout pages. It captures credit card numbers, expiration dates, CVV codes, customer names, billing addresses, email addresses, and phone numbers. The stolen information is obfuscated using XOR operations and stored locally on the victim’s browser rather than being immediately exfiltrated, making it harder for security tools to detect.
Data Exfiltration and Detection Avoidance
A separate routine retrieves the stored data by splitting it in half, creating a new Stripe customer object, and placing the stolen information in custom metadata fields. This effectively turns the attacker’s Stripe account into a storage backend for each stolen card. After the data is copied, the local storage is wiped to remove traces of the attack and prevent duplicate uploads.
By using api.stripe.com, the skimmer bypasses Content Security Policy rules and network filters that would normally flag traffic to an unknown malicious domain. The attacker’s Stripe customer record containing the skimmer code was created on December 24, 2025, suggesting the operation may have been active since that date. Sansec also identified a variant of the attack that uses Google Firestore instead of Stripe, with the payload hidden in a document named “tracking/captcha” within a project called “braintree-payment-app” to blend in with legitimate payment traffic.
Source: BleepingComputer
