Referred to as Baka, the e-commerce skimmer was first discovered in February 2020, but has already impacted several merchant websites across numerous global regions.
The skimmer is basic, containing the expected components and functionality of such a kit, namely an administration panel, an exfiltration gateway, and a skimming script generator, but has an advanced design, suggesting that it is the work of a skilled developer, Visa notes in a security alert.
Baka features a unique loader, loads dynamically, and obfuscates the malicious code with unique encryption parameters for each of its victims.
To further avoid detection and analysis, the skimmer removes itself from memory when detecting attempts for dynamic analysis using Developer Tools, as well as when the targeted data has been successfully exfiltrated, Visa Payment Fraud Disruption (PFD) says.
The malicious skimming code is fetched and executed when a user visits a merchant’s checkout page. The decrypted payload resembles code used to dynamically load pages.
Visa also discovered that the code would skim the targeted fields every 100 milliseconds, and that the attacker can specify which fields to be targeted for each victim. The code checks if the skimmer found any data, also every 100 milliseconds.
If data is found, the function calls for data exfiltration and a check is performed every 3 seconds to determine whether the script should send data to the exfiltration gateway.
Once the data has been exfiltrated, a clean-up function removes the entire skimming code from memory, for detection evasion.