Stripe Logo

Stripe users targeted by phishing attacks

A new phishing campaign aimed at users of the online payment processing giant Stripe is harvesting user credentials and bank details.

Posing as an alert from the Stripe Support team, the email warns recipients some of the details on their account are invalid. It then urges them to quickly resolve the issue, by clicking a “Review your details” button, to avoid having their account frozen. The button leads victims to a fake Stripe login page, which first asks for login credentials, then the user’s bank account and phone numbers.

The malicious emails, which were first exposed on October 17th, utilise two devious techniques to reduce suspicion while stealing the victim’s information. First, by adding a title to the HTML’s <a> tag, the URL of the button is not shown, stopping the victim from seeing the malicious destination if they hover the mouse over the button. Second, once the user has given up their details on the fake login page, it displays a “Wrong password” error and redirects to the regular Stripe login page.

This is a tried and tested social engineering technique, instilling a sense of urgency with the recipient, then dispelling concerns or suspicions by leading them back to the genuine page after harvesting their details.

Old technique or not, it’s still working.

“This is cause for panic among businesses that rely solely on online transactions and payments. Fear and urgency are the most common emotions threat actors play on, spurring otherwise rational people to make irrational decisions”

Milo Salvia – Threat Analyst, Cofense

The email is well coded, hiding the URL is a nice touch, but the opening line “Dear Costumer,” makes it painfully obvious that this is not a legitimate alert.

That techniques like this work so well shines a light on the need users have for effective Security Awareness Training.

Users with a solid understanding of basic phishing techniques would be significantly less likely to fall for poorly written emails like these.

At Phishing Tackle we believe Security Awareness Training is essential and should not be reserved only for organisations with immense budgets. Take a look at our cost calculator to see how affordable we really are.

Recent posts