Security researchers at Visa’s Payment Fraud Disruption Group have spotted a new and unique JavaScript payment card skimming malware named Pipka which has been found to have infected at least 16 e-commerce websites so far. In a security alert released by Visa, their researchers describe the self-cleaning mechanism as something unique to Pipka. The new malware attempts to evade detection by removing itself from the HTML code of an infected website after it successfully executes. “The most interesting and unique aspect of Pipka is its ability to remove itself from the HTML code after it is successfully executed. This enables Pipka to avoid detection, as it is not present within the HTML code after initial execution. This is a feature that has not been previously seen in the wild and marks a significant development in JavaScript skimming,” researchers noted. Just like other card skimmers, Pipka is designed to steal payment card details such as card numbers, expiration dates, cardholders’ names, and other sensitive data. Once the skimmer has the information, the harvested data is base64 encoded and encrypted a cipher ROT13. This encrypted data is then stored in a cookie for later transmission to a remote command and control server (C2).