Security researchers at Visa’s Payment Fraud Disruption Group have spotted a new and unique JavaScript payment card skimming malware named Pipka which has been found to have infected at least 16 e-commerce websites so far. In a security alert released by Visa, their researchers describe the self-cleaning mechanism as something unique to Pipka. The new malware attempts to evade detection by removing itself from the HTML code of an infected website after it successfully executes. “The most interesting and unique aspect of Pipka is its ability to remove itself from the HTML code after it is successfully executed. This enables Pipka to avoid detection, as it is not present within the HTML code after initial execution. This is a feature that has not been previously seen in the wild and marks a significant development in JavaScript skimming,” researchers noted. Just like other card skimmers, Pipka is designed to steal payment card details such as card numbers, expiration dates, cardholders’ names, and other sensitive data. Once the skimmer has the information, the harvested data is base64 encoded and encrypted a cipher ROT13. This encrypted data is then stored in a cookie for later transmission to a remote command and control server (C2).
Analyst Notes
Organizations should institute recurring checks in their payment portals for communications with C2 servers. Regularly scan and test eCommerce sites for vulnerabilities of malware, third-party vendors such as TrustedSec who are capable of penetration testing programs. Verify that all sites and programs are continually updated and patched to provide the latest security protocols. Limit access to the administrative portal to only those who need them. Users are recommended to employ credit monitoring services to watch for unusual or malicious activity of their financial accounts and report any unusual activity as soon as found.
Article Source: https://cyware.com/news/new-javascript-skimmer-pipka-found-targeting-e-commerce-websites-54ab0919
Visa security alert: https://usa.visa.com/dam/VCOM/global/support-legal/documents/pfd-identifies-new-javascript-skimmer.pdf
