Once again, a peculiar phishing attack has surfaced online, this time, targeting Stripe users. The attack not only aims at stealing the users account credentials, but also their banking information.
Stripe Users Faced Phishing Attack
Researchers from Cofense have discovered another phishing attack actively targeting Stripe users, an online payment processor. As described in their recent blog post, the phishing attack not only aims to steal users’ login data but also lures them to share their financial details.
The attack begins with bogus emails impersonating Stripe as the sender. The content of the email is enough to create a sense of panic as it informs the recipient of invalid account details. The attackers have also designed this email quite smartly as they spoof the sender’s ID as ‘Stripe Support’. They have also customized the clickable ‘Review your details’ button in the email with a custom HTML title tag. This prevents the user from seeing a preview of the embedded link while hovering the mouse on it.
Clicking on the ‘Review’ button then lands the user to the phishing website that includes a series of web pages. The first page asks the users’ credentials, submitting which redirects the user to another web page asking the bank account number and the users’ phone number. The last page then redirects the victim to the actual login page of Stripe’s website to avoid possible detection.
Stay Wary Of All Phishing Attempts
While most of the phishing campaigns lure users via business emails, the technique isn’t limited to emails only. Rather criminal hackers are also using various social media phishing tricks too. Likewise, these attacks not only aim at stealing users’ login data but also aim at stealing personal and bank details.
To prevent such attacks, users must stay wary of all such emails that ask you to enter any information. It is likely that an incoming email constitutes a phishing attack unless you already expect it as a result of your action. For example, the verification/login alert email you receive while resetting password of any online account.
In simple words, whenever you receive an email alerting about a suspicious/failed login attempt, account expiration/verification/authentication, or any other matter, try your best to verify it from the source stated in the email via another means. For instance, you can call your bank to verify an email you received supposedly from your bank, or contact the customer support of the firm, such as Microsoft or Instagram, to validate the message. Unless you are assured of the emails’ genuineness, it is better to avoid responding or acting to any such messages.