Stripe Website Impersonated in Credential Phishing Attack
The core elements of most credential phishing attacks have remained constant over the years, where the attacker sends the target an email containing a link to a phishing site. However, the way modern threat actors approach the phishing site aspect of these attacks has become increasingly elaborate.
In a recent attack, the threat actor leveraged a man-in-the-middle framework—capable of displaying live content and bypassing multifactor authentication—to recreate Stripe’s website to steal login credentials. Here’s a look at how the attack was executed and how Abnormal was able to stop it.
Summary of Attack Target
Platform: Microsoft 365
Targets: Stripe Users
Payload: Malicious Link
- Technique: Brand Impersonation
About the Stripe Credential Phishing Attack
As with all credential phishing attempts, the threat actor started by sending an email to the target about a fabricated situation that required immediate attention. The intent was to bait the recipient into clicking on a phishing link.
In this case, the phishing email is designed to look as if it’s being sent from Stripe. The message states that Stripe has detected a login from a new IP address in Russia and instructs the recipient to click on a link if they don’t recognize the device or location.
When the recipient clicks on the link in the email, they are redirected to the credential phishing site—an imitation of Stripe’s sign-in page.
If they enter their credentials, the attacker now has access to their account, giving them the power to change bank information, redirect incoming payments, and send fraudulent payment requests.
As an online payment processing platform with more than 3 million users, Stripe is an essential business tool for organizations all over the globe. For some Stripe users, the solution is a simple, secure way to accept payments. For others, however, it's the foundation upon which all financial aspects of the organization are built. This means that a compromised Stripe account can have catastrophic consequences.
Why This Credential Phishing Attack Is Unique
Frankly, the email itself is not particularly remarkable, as it follows the basic credential phishing email formula. What is remarkable is the phishing site itself.
Often, credential phishing sites seem legitimate at first glance, but upon closer inspection, you can see obvious indicators of impersonation: misspellings, grammar mistakes, broken links, inferior design elements, or similar issues. This phishing site, on the other hand, is a perfect replica of Stripe’s sign-in page. The only difference is the domain—stripe.com.s-xq[.]com—which, you'll notice, contains the actual Stripe domain within the URL.
Compare the real Stripe sign-in page below to the phishing page above:
The pages are indistinguishable.
But the impersonation doesn’t stop there; in fact, the entire website has been replicated. Here are screenshots of the fake version of the Stripe homepage and the real one:
They’re identical—down to the animated background.
It’s the same with the pricing page:
Nearly every page on the fake website looks and behaves exactly as a visitor would expect the actual Stripe pages to. This indicates that Stripe’s legitimate website was likely cloned when building the phishing kit for the attack.
Even if the target was suspicious and clicked through a few different pages to confirm the site’s legitimacy, they could still be fooled because the threat actor has created an exact duplicate of every page on the entire domain.
The ruse only truly starts to come apart on the signup page. In the screenshot below, you can see the Google reCAPTCHA widget is displaying an error: “ERROR for site owner: Invalid domain for site key”.
Google’s reCAPTCHA is a CAPTCHA system that runs in the background of a website and helps prevent fraudulent activity. To add a reCAPTCHA to your site, you must register your domain and create a site key. If a reCAPTCHA is placed on a website hosted on a domain other than the one in the site key settings, the reCAPTCHA will fail and display this error:
Here, the reCAPTCHA detected the mismatch between the domain associated with the site key (dashboard.stripe[.]com) and the domain on which the reCAPTCHA was being used (dashboard.stripe.com.s-xq[.]com). This is one of the very few visible indicators that the website is illegitimate.
Breaking Down the Attack Strategy and Impact
Based on what we observed, this appears to be a sophisticated man-in-the-middle (MITM) attack, in which a cybercriminal positions themselves between two parties to intercept private information. For this attack, the threat actor utilized a framework that displayed the live content from the actual Stripe website when the target visited the corresponding page on the stripe.com.s-xq[.]com domain.
Along with allowing the attacker to recreate the entire Stripe website, the MITM framework also enables them to bypass the multifactor authentication process. This, coupled with the fact there are a limited number of indicators that the website is a copycat version, means that if the target clicks on the phishing link, the threat actor’s chances of successfully stealing credentials are substantially higher than in the average credential phishing attack.
Payment solutions providers like Stripe are some of the most often impersonated brands in credential phishing attacks. This is because by gaining access to a Stripe account, not only can cybercriminals redirect deposits and send fake payment requests, but they can also steal sensitive financial information about both the organization and its customers to use in future attacks.
Even worse, victims of such attacks may not be able to easily resolve the situation, and their accounts could be shut down permanently. Being forced to deactivate their Stripe account also impacts their ability to use any other platforms connected to that account, such as billing software and e-commerce solutions. The company will also have to deal with the headache of disputing fraudulent charges with their bank, as well as any additional fees that result from the attack.
Why Abnormal Remediated This Email
Credential phishing attacks that involve impersonating a financial services provider can be especially damaging. Fortunately, Abnormal prevented this email from being delivered and stopped the attacker in their tracks.
The email content contained a link Abnormal identified as suspicious and included language that is consistent with attempts to steal personal information.
The URL in the email that starts with stripe[.]com/id/UserLocation= actually links to dashboard.stripe.com.s-xq[.]com/admin
The domain of the sender email (pwokepssks[.]com) isn’t found in any of the email body links, and the reply-to address is different than the sender address.
When combined with other signals, this was enough information for Abnormal to immediately block the attack.
Stopping Credential Phishing Attacks
As threat actors continue to upgrade and enhance their strategies, it will become increasingly more difficult to recognize attacks. If you receive a “suspicious login” alert in your inbox, it's best to go directly to the website instead of clicking through a link in the email.
The most effective way to prevent falling victim to a credential phishing attack, however, is to invest in an email security solution that ensures the message is never delivered. Only by doing so can you ensure that these emails never reach your end users’ inboxes.