Malware

A new sophisticated JavaScript Skimmer dubbed Pipka used in the wild

Visa Payment Fraud Disruption warns of a new JavaScript skimmer dubbed Pipka used to siphon payment data from e-commerce merchant websites.

Visa Payment Fraud Disruption warns of a new JavaScript skimmer dubbed Pipka that was used by crooks to steal payment data from e-commerce merchant websites.

Experts discovered the Pipka while investigating an e-commerce website that was previously infected with the Inter JavaScript skimmer. Unlike other skimmers, Pipka has the ability to remove itself from the compromised HTML code after execution, in an effort to avoid detection, Visa notes in a security alert (PDF).

“In September 2019, Visa Payment Fraud Disruption’s (PFD) eCommerce Threat Disruption (eTD) program identified a new JavaScript skimmer that targets payment data entered into payment forms of eCommerce merchant websites. PFD is naming the skimmer Pipka, due to the skimmer’s configured exfiltration point at the time of analysis (as shown below in the Pipka C2s).” reads the advisory published by VISA. “Pipka was identified on a North American merchant website that was previously infected with the JavaScript skimmer Inter, and PFD has since identified at least sixteen additional merchant websites compromised with Pipka.”

Similar to Inter, Pipka allows configuring which fields in the target forms it will parse and extract. The skimmer software is able to capture payment account number, expiration date, CVV, and cardholder name and address, from the checkout pages of the targeted sites.

In the cases investigated by PFD, the skimmer was configured to check for the payment account number field. Data captured by the skimmer is base64 encoded and encrypted using ROT13 cipher. Before sending the data to the C2, the skimmer checks if the data string was previously sent in order to avoid sending duplicate data.

Experts noticed that all the samples they analyzed contained the same value for scriptId: ‘#script’. One sample analyzed by the experts was specifically customized to target two-step checkout pages that collect billing data on one page and payment account data on another.

“This sample uses two different lists to target form fields, inputsBill and inputsCard, and the variable curStep to calculate which form’s data is being stored in a cookie instead of the variable name trigger.” continues the advisory.

One of the analyzed samples was designed to target two-step checkout pages, where billing data and payment account data is collected on different pages.

The Pipka skimmer implements some unique anti-forensics features, it is able to remove its code from the HTML code of the page that is hosting it.

“The most interesting and unique aspect of Pipka is its ability to remove itself from the HTML code after it is successfully executed. This enables Pipka to avoid detection, as it is not present within the HTML code after initial execution.” states VISA. “This is a feature that has not been previously seen in the wild, and marks a significant development in JavaScript skimming,”

Pipka also uses a new technique to hide the exfiltration of harvested data. The skimmer uses an image GET request, but unlike other skimmers instead of loading and then immediately removing the image tag, Pipka sets the onload attribute of the image tag. The ‘onload’ attribute executes supplied JavaScript when the tag is loaded, in this case, the JavaScript includes the code to remove the image tag once it is loaded

VISA PFD believes that Pipka will continue to evolve and that its use will increase in the cybercrime ecosystem to target eCommerce merchant websites.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – Pipka, software skimmer)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

Cisco addressed high-severity flaws in IOS and IOS XE software

Cisco addressed multiple vulnerabilities in IOS and IOS XE software that can be exploited to…

6 hours ago

Google: China dominates government exploitation of zero-day vulnerabilities in 2023

Google's Threat Analysis Group (TAG) and Mandiant reported a surge in the number of actively…

12 hours ago

Google addressed 2 Chrome zero-days demonstrated at Pwn2Own 2024

Google addressed two zero-day vulnerabilities in the Chrome web browser that have been demonstrated during…

24 hours ago

INC Ransom stole 3TB of data from the National Health Service (NHS) of Scotland

The INC Ransom extortion group hacked the National Health Service (NHS) of Scotland and is threatening…

1 day ago

CISA adds Microsoft SharePoint bug disclosed at Pwn2Own to its Known Exploited Vulnerabilities catalog

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds a Microsoft SharePoint vulnerability disclosed at the…

1 day ago

The DDR Advantage: Real-Time Data Defense

This is the advantage of Data Detection and Response (DDR) for organizations aiming to build…

2 days ago

This website uses cookies.