It’s become routine to see red security seals on gas pumps when you stop to fuel up. They’re meant to reassure consumers by signifying the pump hasn’t been infiltrated by a card skimmer to swipe bank and credit card information.
The Visa Payment Fraud Disruption’s (PFD) eCommerce Threat Disruption (eTD) program identified the skimmer, naming it Pipka based on its exfiltration point (where data is extracted) at the time of the analysis.
Cybercriminals can configure Pipka to specify which fields in ecommerce forms it will extract data from. That provides the ability to extract customer data including payment account numbers, card expiration dates, the CVV number and name and address, Visa noted.
“The skimmer checks for these configured fields before executing, and in the cases investigated by PFD, the skimmer is configured to check for the payment account number field,” Visa said in its alert. “Pipka is injected directly into varying locations on the targeted merchant’s website and, once executed, harvests the data in the configured form fields. The harvested data is base64 encoded and encrypted using ROT13 cipher. Before exfiltrating the harvested data, the skimmer checks if the data string was previously sent in order to avoid sending duplicate data. If the string is unique, the data is exfiltrated to a command and control.”
According to Visa, Pipka also:
- Uses a novel method to hide exfiltration
- Further displays unique methods in the ROT13 and Base64 encoding of the skimmed data
Cybercriminals using skimmers to steal the customer data from ecommerce sites isn’t a new phenomenon.
“Over the past year, numerous retail brands including PoshMark, Kay Jewelers, Planet Hollywood, Jared, Macy’s, and Adidas experienced a serious data breach,” Chad McDonald, VP of Customer Experience at Arxan, wrote in a recent Multichannel Merchant column. “In fact, the retail sector climbed quickly to the second most-often cited industry disclosing data breaches during the first half of 2019, second only behind healthcare.”
Visa expects the continued use of Pipka and its warning offers a list of best practices and mitigation measures.