What separates Pipka from other skimmers is that it has the ability to delete itself after the execution from the compromised HTML code in order to avoid detection, Visa states in a security alert (PDF).
The skimmer allows operators to configure form fields for parsing and extracting from the targeted checkout pages, including payment account number, expiry date, CVV and the name and address of the cardholder. The software searches for these specified fields before execution.
Skimmer collects the data from the specific fields directly injected to various locations on the compromised sites and then encodes it into base64, encrypts it and exfiles it, not before checking whether the data string was previously sent to the C&C server.
One of the samples analyzed was intended for two-stage checkout pages, which collect billing and payment account data on different pages.
The skimmer focuses on anti-forensicsby calling a feature, which removes the script tag of the skimmer from the page immediately after loading the file, making it hard for website analysts to detect software.
Furthermore, Pipka’s end result is identical to any other skimmer, although some approaches are different: the exfiltration of payment card data from e-commerce sites. The new threat, notes Visa, is expected to continue in live attacks.