Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

10/17/2019
03:30 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
100%
0%

Phishing Campaign Targets Stripe Credentials, Financial Data

Attackers make use of an old trick and evade detection by blocking users from viewing an embedded link when hovering over the URL.

Researchers have spotted a new phishing campaign targeting credentials and financial data of people using the Stripe payments platform. Emails are disguised as alerts from Stripe support.

Stripe enables e-commerce, facilitates payments, and helps run businesses with its software-as-a-service platform. Online companies use Stripe to receive payments, manage workflows, and update payment card data, among other things. Its millions of global customers include major brands, among them Amazon, Google, Salesforce, Microsoft, Shopify, Spotify, Nasdaq, and National Geographic.

Now attackers are trying to gain access to credentials for Stripe's platform and the billions of dollars it handles each year. This access could enable the adversaries to steal payment card data and defraud customers, report researchers with the Cofense Phishing Defense Center today.

Emails in the campaign pretend to be notifications from "Stripe Support," telling the account admin the "details associated with account are invalid." The admin must take immediate action or the account will be placed on hold, the attacker warns. The idea is to cause fear or panic among businesses that heavily rely on their online transactions and payments to keep running.

These emails include a "Review your details" button with an embedded hyperlink. A common security practice is to hover the mouse over a hyperlink to see its destination. The attackers behind the campaign blocked this by adding a title to the HTML's <a> tag. Instead of displaying the URL when a mouse hovers over it, the button simply shows "Review your details" in text.

"When rendered in the email client, instead of seeing the underlying link of that button, you just see the title that pops up," says Cofense CTO Aaron Higbee. "In this case, the user wouldn't have been able to see where the misleading domain went." It's a common evasion technique.

When clicked, this button redirects targets to a phishing page disguised to imitate Stripe's customer login page. This part of the attack includes three separate pages: One collects the admin's email address and password, the second requests the bank account number and phone number, and the third redirects the admin back to the initial Stripe login page with a "Wrong Password" error so they don't suspect anything.  

Another interesting factor in this attack was the credential compromised, Higbee says. The attackers were able to obtain the login details for a press[@]company[.]org email address, which also granted them access to the victim company's MailChimp account. This is the platform they ultimately used to launch the phishing campaign, he explains. As a result, the phishing emails appear to originate from the email address of a compromised organization.

"This is saying to me the attackers are looking for ways to make sure their phishing emails are successfully delivered," Higbee continues. Most people have MailChimp whitelisted, and many companies use it for things like password resets.

Red Flags
While the attackers were savvy with HTML, their writing skills could use some work. Misspelled words ("Dear Costumer") and obvious grammatical mistakes could tip off any user to suspicious activity, Higbee says. Employees who suspect foul play should approach emails with caution.

What's more, these emails didn't originate from a "stripe.com" email address, he continues. Even though the display name said Stripe Support, recipients of these emails should also check for a Stripe domain name in the sender's email address. Higbee also warns people to be wary of emails seemingly intended to provoke fear or urgency, which many attackers prey on.

He suspects this type of attack will continue, especially against users of the payment platform.

"If there is a way for an attacker to automatically discern whether a company uses Stripe, I'd guess this type of attack would be on the rise," Higbee says. "There's money at the end of that."

Related Content:

This free, all-day online conference offers a look at the latest tools, strategies, and best practices for protecting your organization’s most sensitive data. Click for more information and, to register, here.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/14/2020
Researcher Finds New Office Macro Attacks for MacOS
Curtis Franklin Jr., Senior Editor at Dark Reading,  8/7/2020
Lock-Pickers Face an Uncertain Future Online
Seth Rosenblatt, Contributing Writer,  8/10/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-4662
PUBLISHED: 2020-08-14
IBM Event Streams 10.0.0 could allow an authenticated user to perform tasks to a schema due to improper authentication validation. IBM X-Force ID: 186233.
CVE-2019-20383
PUBLISHED: 2020-08-13
ABBYY network license server in ABBYY FineReader 15 before Release 4 (aka 15.0.112.2130) allows escalation of privileges by local users via manipulations involving files and using symbolic links.
CVE-2020-24348
PUBLISHED: 2020-08-13
njs through 0.4.3, used in NGINX, has an out-of-bounds read in njs_json_stringify_iterator in njs_json.c.
CVE-2020-24349
PUBLISHED: 2020-08-13
njs through 0.4.3, used in NGINX, allows control-flow hijack in njs_value_property in njs_value.c. NOTE: the vendor considers the issue to be &quot;fluff&quot; in the NGINX use case because there is no remote attack surface.
CVE-2020-7360
PUBLISHED: 2020-08-13
An Uncontrolled Search Path Element (CWE-427) vulnerability in SmartControl version 4.3.15 and versions released before April 15, 2020 may allow an authenticated user to escalate privileges by placing a specially crafted DLL file in the search path. This issue was fixed in version 1.0.7, which was r...