Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Visa Issues Alert for ‘Baka’ JavaScript Skimmer

A JavaScript skimmer identified earlier this year uses dynamic loading to avoid detection by static malware scanners, Visa warns.

Referred to as Baka, the e-commerce skimmer was first discovered in February 2020, but has already impacted several merchant websites across numerous global regions.

A JavaScript skimmer identified earlier this year uses dynamic loading to avoid detection by static malware scanners, Visa warns.

Referred to as Baka, the e-commerce skimmer was first discovered in February 2020, but has already impacted several merchant websites across numerous global regions.

The skimmer is basic, containing the expected components and functionality of such a kit, namely an administration panel, an exfiltration gateway, and a skimming script generator, but has an advanced design, suggesting that it is the work of a skilled developer, Visa notes in a security alert.

Baka features a unique loader, loads dynamically, and obfuscates the malicious code with unique encryption parameters for each of its victims.

To further avoid detection and analysis, the skimmer removes itself from memory when detecting attempts for dynamic analysis using Developer Tools, as well as when the targeted data has been successfully exfiltrated, Visa Payment Fraud Disruption (PFD) says.

“The Baka loader works by dynamically adding a script tag to the current page. The new script tag loads a remote JavaScript file, the URL of which is stored encrypted in the loader script. The attacker can change the URL for each victim,” Visa explains.

The malicious skimming code is fetched and executed when a user visits a merchant’s checkout page. The decrypted payload resembles code used to dynamically load pages.

Visa also discovered that the code would skim the targeted fields every 100 milliseconds, and that the attacker can specify which fields to be targeted for each victim. The code checks if the skimmer found any data, also every 100 milliseconds.

If data is found, the function calls for data exfiltration and a check is performed every 3 seconds to determine whether the script should send data to the exfiltration gateway.

Once the data has been exfiltrated, a clean-up function removes the entire skimming code from memory, for detection evasion.

“To further prevent detection, Baka uses an XOR cipher to encrypt hard-coded values and obfuscate the skimming code delivered by the C2. While the use of an XOR cipher is not new, this is the first time Visa has observed its use in JavaScript skimming malware. The developer of this malware kit uses the same cipher function in the loader and the skimmer,” Visa says.

In November last year, Visa published information on another JavaScript skimmer, called Pipka. Just as Baka, the skimmer had the ability to remove itself after execution, to hinder detection.

Related: American Payroll Association User Data Stolen in Skimmer Attack

Related: Hackers Target Online Stores With Web Skimmer Hidden in Image Metadata

Related: Visa Warns of New JavaScript Skimmer ‘Pipka’

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Cybercrime

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Cybercrime

The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.

Nation-State

The North Korean APT tracked as TA444 is either moonlighting from its previous primary purpose, expanding its attack repertoire, or is being impersonated by...

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Cybercrime

A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.