Home · Live brief · Weekly 2026-W23
Finance / payments — Stripe-abusing Magecart and OFAC Iran sanctions
Part of run 2026-W23-9118e7bd (weekly · Claude Sonnet 4.6)
A Magecart variant delivering its skimmer through Stripe customer metadata and exfiltrating stolen card data back through api.stripe.com as fake customer records was documented by Sansec this week (Sansec, 2026-06-04; daily 2026-06-07). Because both payload delivery and exfiltration transit a universally allow-listed domain, CSP connect-src controls and WAF egress rules built around blocking unknown domains are blind to this variant. Detection must move server-side: audit GTM container IDs, monitor Stripe customer-creation events for non-order-matched calls, and inspect customer-metadata fields for encoded JavaScript. Separately, OFAC designated Nobitex and three Iranian exchanges for IRGC-affiliated ransomware proceeds — confirmed wallet clusters now carry an OFAC sanctions-nexus consideration for any EU institution with US correspondent relationships.