Magecart Skimmer Turns Stripe into a Malware Command Server

Magecart Skimmer Turns Stripe into a Malware Command Server 🚨

Sansec has uncovered a Magecart family that operates its skimmer directly through Stripe. The attacker cleverly stores the card stealer in a Stripe customer’s metadata, executing it on checkout pages and writing stolen card information back into the same account as fake customers. This makes Stripe both the command server and the exfiltration sink, all while utilizing a domain that most stores would not block.

The skimmer avoids loading from a domain controlled by the attacker. Instead, both the payload and stolen cards are transmitted through api.stripe.com, a domain that stores allow by default. This clever tactic allows the skimmer to bypass Content Security Policy rules and network filters that would normally flag traffic to an unknown skimmer domain. The loaders are legitimate Google Tag Manager containers (GTM-P6KZMF63 and others), disguised as a custom tag and served directly from googletagmanager.com. This method helps the skimmer blend in with the store’s legitimate analytics tags.

How the Malware Operates 🔍

The malware’s operation is divided into three parts:

1. Code Delivery: Located within a real GTM container (GTM-P6KZMF63), the code executes on every page that loads it. On checkout pages, it fetches the skimmer from Stripe customer metadata and executes it using new Function().
2. Data Harvesting: The harvester waits for the checkout button click, targeting specific selectors related to Magento and Adobe Commerce checkout markup. It only stores data when all four card fields are present.
3. Data Uploading: This occurs in a separate job within the same loader, running one second after each page load and again every 60 seconds. When it detects a blob in localStorage, it splits the value in half and POSTs it to Stripe’s customer API, creating a