loader gif

New Phishing Campaign Aims To Steal Banking Information From Stripe Users

cyber, laptop, secure, steal, password, business, code, illegal, malware, technology, security, asia, theft, hacking, espionage, computer, protection, attack, protect, keylogger, botnet, trojan, spy, cracker, secret, encryption, danger, stealing, criminal, identity, network, spyware, privacy, internet, threat, data, anonymous, card, phishing, firewall, thai, programmer, crime, safety, spam, fraud
  • A new phishing campaign that targets Stripe users to steal banking information has been uncovered.
  • Attackers are evading detection by blocking users from viewing the destination of embedded links.

Stripe is an online platform that enables businesses to deal with payments. It handles billions of dollars annually and has a rich client base of reputed brands. This makes Stripe an attractive target for hackers.

How does the campaign work?

An email pretending to be from Stripe support informs the account administrator that the details associated with the account are invalid.

  • The email says that the account would be put on hold if the administrator does not take immediate action. Naturally, this causes panic, especially in businesses that run mostly on online transactions via Skype.
  • The recipient is directed to click on the ‘Review your details’ button in the email body. Hovering over this button does not show the destination link but shows a title, ‘Review your details’. This is a potential technique to mask the destination URL and avoid detection.
  • On clicking the button, the victim is redirected to a phishing page that has been designed to look like the Stripe customer login page.
  • It consists of three separate pages that try to steal admin credentials, bank account number, and phone number.

What happens next?

The victim is redirected to the account login page after entering the details. Here, an error message, ‘Wrong Password, Enter Again’ is displayed. This leads the victim to believe that an incorrect password has been entered. Following this, redirection to the legitimate site happens to avoid raising suspicion.

Staying safe

Researchers from Cofense who analyzed this campaign have published Indicators of Compromise (IOCs) that you can keep an eye on.

Worth noting

“Another interesting factor in this attack was the credential compromised. The attackers were able to obtain the login details for a press[@]company[.]org email address, which also granted them access to the victim company's MailChimp account,” says Aaron Higbee, Cofense CTO.
loader gif