“In September 2019, Visa Payment Fraud Disruption’s (PFD) eCommerce Threat Disruption (
Similar to Inter, Pipka allows configuring which fields in the target forms it will parse and extract. The skimmer software is able to capture payment account number, expiration date, CVV, and
In the cases investigated by PFD, the skimmer was configured to check for the payment account number field. Data captured by the skimmer is base64 encoded and encrypted using ROT13 cipher. Before sending the data to the C2, the skimmer checks if the data string was previously sent in order to avoid sending duplicate data.
Experts noticed that all the samples they analyzed contained the same value for
“This sample uses two different lists to target form fields,
One of the analyzed samples was designed to target two-step checkout pages, where billing data and payment account data is collected on different pages.
The Pipka skimmer implements some unique anti-forensics features, it is able to remove its code from the HTML code of the page that is hosting it.
“The most interesting and unique aspect of Pipka is its ability to remove itself from the HTML code after it is successfully executed. This enables Pipka to avoid detection, as it is not present within the HTML code after initial execution.”
Pipka also uses a new technique to hide the
VISA PFD believes that Pipka will continue to evolve and that its use will increase in the cybercrime ecosystem to target eCommerce merchant websites.
(SecurityAffairs – Pipka, software skimmer)