It’s become routine to see red security seals on gas pumps when you stop to fuel up. They’re meant to reassure consumers by signifying the pump hasn’t been infiltrated by a card skimmer to swipe bank and credit card information.
The skimming threat has migrated to the ecommerce sphere this holiday season, with Visa warning ecommerce merchants about a new JavaScript skimmer targeting customer data entered at the point-of-sale (POS) in payment forms on sellers’ websites.
The Visa Payment Fraud Disruption’s (PFD) eCommerce Threat Disruption (eTD) program identified the skimmer, naming it Pipka based on its exfiltration point (where data is extracted) at the time of the analysis.
“Pipka was identified on a North American merchant website that was previously infected with the JavaScript skimmer Inter, and PFD has since identified at least sixteen additional merchant websites compromised with Pipka,” Visa said. “PFD previously reported on the use of Inter to target service providers with malicious skimming code that was integrated into ecommerce merchant environments.”
Pipka has a key difference, however. “The most interesting and unique aspect of Pipka is its ability to remove itself from the HTML code after it is successfully executed,” Visa said in its warning. “This enables Pipka to avoid detection, as it is not present within the HTML code after initial execution. This is a feature that has not been previously seen in the wild, and marks a significant development in JavaScript skimming.”
Cybercriminals can configure Pipka to specify which fields in ecommerce forms it will extract data from. That provides the ability to extract customer data including payment account numbers, card expiration dates, the CVV number and name and address, Visa noted.
“The skimmer checks for these configured fields before executing, and in the cases investigated by PFD, the skimmer is configured to check for the payment account number field,” Visa said in its alert. “Pipka is injected directly into varying locations on the targeted merchant’s website and, once executed, harvests the data in the configured form fields. The harvested data is base64 encoded and encrypted using ROT13 cipher. Before exfiltrating the harvested data, the skimmer checks if the data string was previously sent in order to avoid sending duplicate data. If the string is unique, the data is exfiltrated to a command and control.”
According to Visa, Pipka also:
- Has a self-cleaning feature common in desktop malware but not observed in JavaScript skimmers previously
- Uses a novel method to hide exfiltration
- Further displays unique methods in the ROT13 and Base64 encoding of the skimmed data
Cybercriminals using skimmers to steal the customer data from ecommerce sites isn’t a new phenomenon.
“Over the past year, numerous retail brands including PoshMark, Kay Jewelers, Planet Hollywood, Jared, Macy’s, and Adidas experienced a serious data breach,” Chad McDonald, VP of Customer Experience at Arxan, wrote in a recent Multichannel Merchant column. “In fact, the retail sector climbed quickly to the second most-often cited industry disclosing data breaches during the first half of 2019, second only behind healthcare.”
Visa expects the continued use of Pipka and its warning offers a list of best practices and mitigation measures.