Current JavaScript Skimmer’s Visa Warnings ‘ Pipka ‘

New JavaScript Skimmer

Visa Payment Fraud Disruption (PFD) alerts that a new JavaScript skimmer targets the data entered in the payment forms of e-Commerce retailer websites.

Dubbed Pipka, the skimmer was found on a previously compromised ecommerce website with the Inter JavaScript skimmer, but has also infected at least sevene other trading sites.

What separates Pipka from other skimmers is that it has the ability to delete itself after the execution from the compromised HTML code in order to avoid detection, Visa states in a security alert (PDF).

The skimmer allows operators to configure form fields for parsing and extracting from the targeted checkout pages, including payment account number, expiry date, CVV and the name and address of the cardholder. The software searches for these specified fields before execution.

Skimmer collects the data from the specific fields directly injected to various locations on the compromised sites and then encodes it into base64, encrypts it and exfiles it, not before checking whether the data string was previously sent to the C&C server.

One of the samples analyzed was intended for two-stage checkout pages, which collect billing and payment account data on different pages.

The skimmer focuses on anti-forensicsby calling a feature, which removes the script tag of the skimmer from the page immediately after loading the file, making it hard for website analysts to detect software.

“Pipka’s most interesting and unique feature is its ability, when successfully completed, to delete itself from HTML code. This helps Pipka to avoid detection, as after initial execution it is not present within the HTML code. This functionality was not previously seen in the wild and represents a major advancement in the skimming of JavaScript, “Visa says.

Pipka is also using a picture GET query for this activity to cover the exfiltration. Unlike other skimmers, however, the image tag does not be immediately deleted, but sets the onload image tag attribute to remove the image tag when the JavaScript code is loaded.

Furthermore, Pipka’s end result is identical to any other skimmer, although some approaches are different: the exfiltration of payment card data from e-commerce sites. The new threat, notes Visa, is expected to continue in live attacks.

Mark Funk
Mark Funk is an experienced information security specialist who works with enterprises to mature and improve their enterprise security programs. Previously, he worked as a security news reporter.