A new JavaScript payment card skimmer, dubbed Pipka, has been identified on at least seventeen merchant websites attempting to target site visitors’ payment data. Unlike other skimmers, Pipka removes itself from the HTML code of compromised websites after exfiltrating payment card data – a detection evasion technique never seen before with JavaScript web skimmers.
Like other JavaScript skimmers, Pipka is injected into websites to steal data that’s entered into online payment forms on e-commerce websites. When a visitor goes to that website, the skimmer will then scoop up personal details entered on the site – including payment-card information such as payment account number, expiration date, three-digit Card Verification Value (CVV) and the cardholder’s name and address, according to the Visa Payment Fraud Disruption (PFD) group, which first detected Pipka.
“PFD assesses that Pipka will continue to be used by threat actors to compromise eCommerce merchant websites and harvest payment account data,” said Visa researchers in a recent alert. “The most interesting and unique aspect of Pipka is its ability to remove itself from the HTML code after it is successfully executed… This is a feature that has not been previously seen in the wild, and marks a significant development in JavaScript skimming.”
Pipka was first identified on an unnamed North American merchant website and researchers since then identified sixteen additional unnamed websites compromised by the skimmer (Threatpost has reached out to researchers for further information on the name of victim sites).
Researchers said that the skimmer is injected directly into varying locations on the targeted merchant’s website and, once executed, harvests the data in the configured form fields. The skimmer checks for these configured fields before executing; specifically, Pipka is configured to check for the “payment account number” field. Then, Pipka checks that the data string was not previously sent to avoid sending duplicate data, and exfiltrates the payment card data to a command and control (C2) server.
New Features
Researchers said that Pipka includes some unique features not previously observed – the most interesting centering around anti-forensics.
When the skimmer executes, it calls the start function, which in turn calls the clear function and sets the skimmer to look for data every second. Immediately after the script loads, the clear function locates the skimmer’s script tag on the page and removes it – making it difficult for analysts or website administrators to spot the code when visiting the page.
It’s important to note that the self-removal feature discovered in Pipka is common in desktop malware, such as the PureLocker ransomware and KeyPass malware. But researchers say that the capability has not been observed in JavaScript skimmers until now.
“This enables Pipka to avoid detection, as it is not present within the HTML code after initial execution,” researchers said. “This self-cleaning feature is common in desktop malware, but has not been observed in JavaScript skimmers until now.”
Before sending exfiltrated data to the C2 server, the skimmer also uses ROT13 encoding to encrypt the stolen data. An ROT13 cipher is a letter substitution cipher that replaces the 13th letter of text for encryption purposes. While the use of a ROT13 cipher has been observed before, it was implemented on the exfiltration C2 server, not in the skimmer itself, researchers said.
Web Skimmers
Web skimmers have been a favorite of cybercriminals over the past year.
The most infamous example is Magecart, which has made headlines over the past year or so for high-profile breaches of companies like VisionDirect, Ticketmaster and more, is known for its use of web-based, digital card skimmers, using scripts injected into websites to steal data that’s entered into online payment forms on e-commerce websites directly or through compromised third-party suppliers used by these sites. More recently, the Magecart threat group continued its offensive with two newly disclosed breaches targeting bedding retailers MyPillow and Amerisleep.
And in July, malicious domains masquerading as Google sites were discovered being used by payment card-skimming adversaries looking to dupe website visitors.
“Online credit card skimming differs from the physical skimming practices most people have heard about in that there isn’t an obvious way the average person will be able to identify if or when a web site has been compromised,” Tim Mackey, principal security strategist with Synopsys said in an email. “The only potential tell-tale sign might be that the website itself doesn’t quite look ‘right,’ though more sophisticated attacks can make even differentiating between a fake site and a legitimate one challenging.”
Visa researchers recommended that websites institute recurring checks in eCommerce environments for C2 communications; ensure familiarity with code integrated into eCommerce environments and closely vet Content Delivery Networks.
Is MFA enough to protect modern enterprises in the peak era of data breaches? How can you truly secure consumer accounts? Prevent account takeover? Find out: Catch our free, on-demand Threatpost webinar, “Trends in Fortune 1000 Breach Exposure” to hear advice from breach expert Chip Witt of SpyCloud. Click here to register.