Stripe handles billions of dollars annually and this why the company is such an attractive target for cybercriminals looking to gain access to payment card information and to defraud consumers.
The campaign discovered by Cofense begins with a user receiving an email which pretends to be a notification from Stripe support. The email informs the account administrator that “details associated with account are invalid.”
If the administrator fails to take immediate action, their account will be placed on hold and this could be quite disruptive for any business that relies on online transactions and payments. Fear and urgency are often the most common emotions that cybercriminals play on as the can lead rational people to make irrational decisions.
Stripe phishing campaign
Inside the email body, there is a button with an embedded hyperlink which reads “Review your details”. However, when this button is clicked, it redirects the recipient to a phishing page.
In most cases, a user can check the destination of a hyperlink by hovering over it with their mouse cursor. In this case though, the true destination of the hyperlink is hidden by adding a simple title to HTML’s <a> tag and instead the recipient sees the title “Review your details” when hovering over the button instead of the URL.
The phishing page users are redirect to is an imitation of the Stripe customer login page. In fact, the phishing page consists of three separate pages. The first one aims to collect the admin’s email address and password while the second page asks for the bank account number and phone number associated with the account.
Finally, the recipient is redirected back to the account login page which shows an error message that reads “Wrong Password, Enter again”. This helps prevent the recipient from suspecting any foul play.
Stripe users should check their email cautiously and avoid clicking on any suspicious URLs to avoid falling victim to this new phishing campaign.