Abstract Yellow Hills

Stripe Website Impersonated in Credential Phishing Attack

In this sophisticated credential phishing attack, the threat actor created a duplicate version of Stripe’s entire website.

June 2, 2022

The core elements of most credential phishing attacks have remained constant over the years, where the attacker sends the target an email containing a link to a phishing site. However, the way modern threat actors approach the phishing site aspect of these attacks has become increasingly elaborate.

In a recent attack, the threat actor leveraged a man-in-the-middle framework—capable of displaying live content and bypassing multifactor authentication—to recreate Stripe’s website to steal login credentials. Here’s a look at how the attack was executed and how Abnormal was able to stop it.

Summary of Attack Target

  • Platform: Microsoft 365

  • Targets: Stripe Users

  • Payload: Malicious Link

  • Technique: Brand Impersonation

About the Stripe Credential Phishing Attack

As with all credential phishing attempts, the threat actor started by sending an email to the target about a fabricated situation that required immediate attention. The intent was to bait the recipient into clicking on a phishing link.

In this case, the phishing email is designed to look as if it’s being sent from Stripe. The message states that Stripe has detected a login from a new IP address in Russia and instructs the recipient to click on a link if they don’t recognize the device or location.

Stripe Credential Phishing Attack Email

When the recipient clicks on the link in the email, they are redirected to the credential phishing site—an imitation of Stripe’s sign-in page.

Stripe Credential Phishing Attack Stripe Sign in Page Fake

Phishing Stripe Sign-in Page

If they enter their credentials, the attacker now has access to their account, giving them the power to change bank information, redirect incoming payments, and send fraudulent payment requests.

As an online payment processing platform with more than 3 million users, Stripe is an essential business tool for organizations all over the globe. For some Stripe users, the solution is a simple, secure way to accept payments. For others, however, it's the foundation upon which all financial aspects of the organization are built. This means that a compromised Stripe account can have catastrophic consequences.

Why This Credential Phishing Attack Is Unique

Frankly, the email itself is not particularly remarkable, as it follows the basic credential phishing email formula. What is remarkable is the phishing site itself.

Often, credential phishing sites seem legitimate at first glance, but upon closer inspection, you can see obvious indicators of impersonation: misspellings, grammar mistakes, broken links, inferior design elements, or similar issues. This phishing site, on the other hand, is a perfect replica of Stripe’s sign-in page. The only difference is the domain—stripe.com.s-xq[.]com—which, you'll notice, contains the actual Stripe domain within the URL.

Compare the real Stripe sign-in page below to the phishing page above:

Stripe Credential Phishing Attack Stripe Sign in Page Real

Real Stripe Sign-in Page

The pages are indistinguishable.

But the impersonation doesn’t stop there; in fact, the entire website has been replicated. Here are screenshots of the fake version of the Stripe homepage and the real one:

Stripe Credential Phishing Attack Stripe Home Fake

Phishing Stripe Homepage

Stripe Credential Phishing Attack Stripe Home Real

Real Stripe Homepage

They’re identical—down to the animated background.

It’s the same with the pricing page:

Stripe Credential Phishing Attack Stripe Pricing Page Fake

Phishing Stripe Pricing Page

Stripe Credential Phishing Attack Stripe Pricing Page Real

Real Stripe Pricing Page

Nearly every page on the fake website looks and behaves exactly as a visitor would expect the actual Stripe pages to. This indicates that Stripe’s legitimate website was likely cloned when building the phishing kit for the attack.

Even if the target was suspicious and clicked through a few different pages to confirm the site’s legitimacy, they could still be fooled because the threat actor has created an exact duplicate of every page on the entire domain.

The ruse only truly starts to come apart on the signup page. In the screenshot below, you can see the Google reCAPTCHA widget is displaying an error: “ERROR for site owner: Invalid domain for site key”.

Stripe Credential Phishing Attack Stripe Signup Page Fake

Phishing Stripe Signup Page

Google’s reCAPTCHA is a CAPTCHA system that runs in the background of a website and helps prevent fraudulent activity. To add a reCAPTCHA to your site, you must register your domain and create a site key. If a reCAPTCHA is placed on a website hosted on a domain other than the one in the site key settings, the reCAPTCHA will fail and display this error:

Stripe Credential Phishing Attack re CAPTCHA Error

Here, the reCAPTCHA detected the mismatch between the domain associated with the site key (dashboard.stripe[.]com) and the domain on which the reCAPTCHA was being used (dashboard.stripe.com.s-xq[.]com). This is one of the very few visible indicators that the website is illegitimate.

Breaking Down the Attack Strategy and Impact

Based on what we observed, this appears to be a sophisticated man-in-the-middle (MITM) attack, in which a cybercriminal positions themselves between two parties to intercept private information. For this attack, the threat actor utilized a framework that displayed the live content from the actual Stripe website when the target visited the corresponding page on the stripe.com.s-xq[.]com domain.

Along with allowing the attacker to recreate the entire Stripe website, the MITM framework also enables them to bypass the multifactor authentication process. This, coupled with the fact there are a limited number of indicators that the website is a copycat version, means that if the target clicks on the phishing link, the threat actor’s chances of successfully stealing credentials are substantially higher than in the average credential phishing attack.

Payment solutions providers like Stripe are some of the most often impersonated brands in credential phishing attacks. This is because by gaining access to a Stripe account, not only can cybercriminals redirect deposits and send fake payment requests, but they can also steal sensitive financial information about both the organization and its customers to use in future attacks.

Even worse, victims of such attacks may not be able to easily resolve the situation, and their accounts could be shut down permanently. Being forced to deactivate their Stripe account also impacts their ability to use any other platforms connected to that account, such as billing software and e-commerce solutions. The company will also have to deal with the headache of disputing fraudulent charges with their bank, as well as any additional fees that result from the attack.

Why Abnormal Remediated This Email

Credential phishing attacks that involve impersonating a financial services provider can be especially damaging. Fortunately, Abnormal prevented this email from being delivered and stopped the attacker in their tracks.

Here’s why:

  • The email content contained a link Abnormal identified as suspicious and included language that is consistent with attempts to steal personal information.

  • The URL in the email that starts with stripe[.]com/id/UserLocation= actually links to dashboard.stripe.com.s-xq[.]com/admin

  • The domain of the sender email (pwokepssks[.]com) isn’t found in any of the email body links, and the reply-to address is different than the sender address.

When combined with other signals, this was enough information for Abnormal to immediately block the attack.

Stripe Credential Phishing Attack Threat Log

Stopping Credential Phishing Attacks

As threat actors continue to upgrade and enhance their strategies, it will become increasingly more difficult to recognize attacks. If you receive a “suspicious login” alert in your inbox, it's best to go directly to the website instead of clicking through a link in the email.

The most effective way to prevent falling victim to a credential phishing attack, however, is to invest in an email security solution that ensures the message is never delivered. Only by doing so can you ensure that these emails never reach your end users’ inboxes.


Learn how Abnormal stops sophisticated credential phishing attacks like this one. Request a demo today.

Demo 2x 1

See the Abnormal Solution to the Email Security Problem

Protect your organization from the attacks that matter most with Abnormal Integrated Cloud Email Security.

Related Posts

B 06 21 22 Threat Intel blog
Executives are no longer the go-to impersonated party in business email compromise (BEC) attacks. Now, threat actors are opting to impersonate vendors instead.
Read More
B 06 7 22 Disentangling ML Pipelines Blog
Learn how explicitly modeling dependencies in a machine learning pipeline can vastly reduce its complexity and make it behave like a tower of Legos: easy to change, and hard to break.
Read More
B 04 07 22 SEG
As enterprises across the world struggle to stop modern email attacks, it begs the question: how are these attacks evading traditional solutions like SEGs?
Read More
Enhanced Remediation Blog Cover
The most effective way to manage spam and graymail is to leverage a cloud-native, API-based architecture to understand identity, behavior, and content patterns.
Read More
B 05 16 22 VP of Recruiting
We are thrilled to announce the addition of Mary Price, our new Vice President of Talent. Mary will support our continued investment in the next generation of talent here at Abnormal.
Read More
B 06 01 22 Stripe Phishing
In this sophisticated credential phishing attack, the threat actor created a duplicate version of Stripe’s entire website.
Read More
B Podcast Engineering9
In episode 9 of Abnormal Engineering Stories, Dan sits down with Mukund Narasimhan to discuss his perspective on productionizing machine learning.
Read More
B 05 31 22 RSA Conference
Attending RSA Conference 2022? So is Abnormal! We’d love to see you at the event.
Read More
B 05 27 22 Active Ransomware Groups
Here’s an in-depth analysis of the 62 most prominent ransomware groups and their activities since January 2020.
Read More
B 05 24 22 ESI Season 1 Recap Blog
The first season of Enterprise Software Innovators (ESI) has come to a close. While the ESI team is hard at work on season two, here’s a recap of some season one highlights.
Read More
B 05 13 22 Hiring Experience
Abnormal Security is committed to offering an exceptional experience for candidates and employees. Hear about our recruiting and onboarding firsthand from three Abnormal employees.
Read More
B 05 11 22 Scaling Out Redis
As we’ve scaled our customer base, the size of our datasets has also grown. With our rapid expansion, we were on track to hit the data storage limit of our Redis server in two months, so we needed to figure out a way to scale beyond this—and fast!
Read More