Researchers have found a new e-commerce skimmer designed to steal payment card details that also has the interesting ability to remove itself after exfiltrating stolen data. Named Baka, this malware was discovered in February of 2020 when Visa was examining a Command and Control (C2) server that previously hosted an ImageID web skimming kit. Visa believes Baka was designed by a skilled malware developer because it not only has the normal features such as configurable target form fields and data exfiltration using image requests, but it also features an advanced design that comes with unique obfuscation methods and loader. The team at Visa stated, “this skimmer variant avoids detection and analysis by removing itself from memory when it detects the possibility of dynamic analysis with Developer Tools or when data has been successfully exfiltrated.” Visa detected Baka on seven different domains in several countries.
Visa has released some recommendations, attached below, but some of the important steps all organizations can take are to constantly audit servers for suspicious activity such as any communications with a C2 server that is not owned by the organization. E-skimmers are more difficult to detect because the communication with the C2 server might only occur when the checkout page is loaded on the customer’s web browsers, and not directly from the webserver. Companies should also employ a security service provider that specializes in testing systems for vulnerabilities such as TrustedSec. Consider using a fully hosted checkout solution where customers enter their payment details on another webpage hosted by that checkout solution, separate from the merchant’s site. This is the most secure way to protect the merchant and their customers from e-commerce skimming malware.
Visa Recommendations: https://usa.visa.com/dam/VCOM/download/merchants/cisp-what-to-do-if-compromised.pdf
Visa Best Practices: https://www.pcisecuritystandards.org/pdfs/best_practices_securing_ecommerce.pdf