Threat Management, Malware, Phishing

Phishing scam targets users of Stripe payment processing service


Cybercriminals have devised a phishing campaign that that takes aim at customers of the online payment processing company Stripe, with the intention to steal their credentials, compromise their accounts and presumably view their payment card data.

The attackers employ two clever tricks to hide their malicious activity. First, they use a technique to block email recipients from viewing the destination of a malicious embedded link when they hover over it with their cursor. Then, after stealing victims' login credentials, they use a fake log-in error message as a sneaky way to transition them back back to the legitimate Stripe website.

Researchers from Cofense's Phishing Defense Center recently uncovered the phishing plot and exposed it in an Oct. 17 blog post written by threat analyst Milo Salvia.

The phishing emails appear to be an alert from Stripe Support, warning recipients that certain details associated with their account are invalid. Recipients are urged to quickly resolve their issues to avoid having their accounts frozen.

"This is cause for panic among businesses that rely solely on online transactions and payments. Fear and urgency are the most common emotions threat actors play on, spurring otherwise rational people to make irrational decisions," Salvia states in the blog post.

The emails also contain a "Review your details" button, which, if clicked, sends users to a phishing site that impersonates Stripe. Unfortunately, cautious recipients who hover the cursor over the button before clicking will not see the hyperlink's malicious destination.

"The true destination of this hyperlink is obscured by adding a simple title to HTML’s <a> tag, which shows the recipient the title 'Review your details' when the recipient hovers over the button instead of the URL. Potentially this is a tactic to mask the true destination..." Salvia writes.

The phishing site is comprised of three separate pages. The first seeks victims' admin email address and password, while the second asks for a bank account number and linked phone number. The third page looks like original login page, but the message "Wrong Password, Enter Again." When victims re-enter their credentials, thinking something went wrong, they are actually routed to the real Stripe website, to reduce the likelihood that they become suspicious.

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.