Pierluigi Paganini November 15, 2019

Visa Payment Fraud Disruption warns of a new JavaScript skimmer dubbed Pipka used to siphon payment data from e-commerce merchant websites.

Visa Payment Fraud Disruption warns of a new JavaScript skimmer dubbed Pipka that was used by crooks to steal payment data from e-commerce merchant websites.

Experts discovered the Pipka while investigating an e-commerce website that was previously infected with the Inter JavaScript skimmer. Unlike other skimmers, Pipka has the ability to remove itself from the compromised HTML code after execution, in an effort to avoid detection, Visa notes in a security alert (PDF).

“In September 2019, Visa Payment Fraud Disruption’s (PFD) eCommerce Threat Disruption (eTD) program identified a new JavaScript skimmer that targets payment data entered into payment forms of eCommerce merchant websites. PFD is naming the skimmer Pipka, due to the skimmer’s configured exfiltration point at the time of analysis (as shown below in the Pipka C2s).” reads the advisory published by VISA. “Pipka was identified on a North American merchant website that was previously infected with the JavaScript skimmer Inter, and PFD has since identified at least sixteen additional merchant websites compromised with Pipka.”

Similar to Inter, Pipka allows configuring which fields in the target forms it will parse and extract. The skimmer software is able to capture payment account number, expiration date, CVV, and cardholder name and address, from the checkout pages of the targeted sites.

In the cases investigated by PFD, the skimmer was configured to check for the payment account number field. Data captured by the skimmer is base64 encoded and encrypted using ROT13 cipher. Before sending the data to the C2, the skimmer checks if the data string was previously sent in order to avoid sending duplicate data.

Experts noticed that all the samples they analyzed contained the same value for scriptId: ‘#script’. One sample analyzed by the experts was specifically customized to target two-step checkout pages that collect billing data on one page and payment account data on another.

“This sample uses two different lists to target form fields, inputsBill and inputsCard, and the variable curStep to calculate which form’s data is being stored in a cookie instead of the variable name trigger.” continues the advisory.

One of the analyzed samples was designed to target two-step checkout pages, where billing data and payment account data is collected on different pages.

The Pipka skimmer implements some unique anti-forensics features, it is able to remove its code from the HTML code of the page that is hosting it.

“The most interesting and unique aspect of Pipka is its ability to remove itself from the HTML code after it is successfully executed. This enables Pipka to avoid detection, as it is not present within the HTML code after initial execution.” states VISA. “This is a feature that has not been previously seen in the wild, and marks a significant development in JavaScript skimming,”

Pipka also uses a new technique to hide the exfiltration of harvested data. The skimmer uses an image GET request, but unlike other skimmers instead of loading and then immediately removing the image tag, Pipka sets the onload attribute of the image tag. The ‘onload’ attribute executes supplied JavaScript when the tag is loaded, in this case, the JavaScript includes the code to remove the image tag once it is loaded

VISA PFD believes that Pipka will continue to evolve and that its use will increase in the cybercrime ecosystem to target eCommerce merchant websites.

Pierluigi Paganini

(SecurityAffairs – Pipka, software skimmer)

[adrotate banner=”5″]

[adrotate banner=”13″]