Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Visa Warns of New JavaScript Skimmer ‘Pipka’

A new JavaScript skimmer targets data entered into the payment forms of ecommerce merchant websites, Visa Payment Fraud Disruption (PFD) warns.

Dubbed Pipka, the skimmer was discovered on an ecommerce website previously infected with the JavaScript skimmer known as Inter, but it has infected at least sixteen other merchant websites as well.

A new JavaScript skimmer targets data entered into the payment forms of ecommerce merchant websites, Visa Payment Fraud Disruption (PFD) warns.

Dubbed Pipka, the skimmer was discovered on an ecommerce website previously infected with the JavaScript skimmer known as Inter, but it has infected at least sixteen other merchant websites as well.

What sets Pipka apart from other skimmers is the fact that it has the ability to remove itself from the compromised HTML code after execution, in an effort to avoid detection, Visa notes in a security alert (PDF).

The skimmer allows operators to configure the form fields to be parsed and extracted from the targeted checkout pages, including payment account number, expiration date, CVV, and cardholder name and address. Before execution, the code checks for these configured fields.

Directly injected at different locations on the compromised websites, the skimmer harvests data from the targeted fields, then encodes it in base64, encrypts it and exfiltrates it, but not before checking if the data string was previously sent to the command and control (C&C) server.

One of the analyzed samples was designed to target two-step checkout pages, where billing data and payment account data is collected on different pages.

The skimmer shows a focus on anti-forensics, by calling a function that clears the skimmer’s script tag from the page immediately after the script loads, thus making it difficult for analysts or website administrators to notice the code.

“The most interesting and unique aspect of Pipka is its ability to remove itself from the HTML code after it is successfully executed. This enables Pipka to avoid detection, as it is not present within the HTML code after initial execution. This is a feature that has not been previously seen in the wild, and marks a significant development in JavaScript skimming,” Visa points out.

Advertisement. Scroll to continue reading.

Pipka also attempts to hide the exfiltration by using an image GET request for this operation. Unlike other skimmers, however, it does not remove the image tag immediately, but sets the onload attribute of the image tag to remove the image tag once the JavaScript code is loaded.

The end result of Pipka, however, is the same as with any other skimmer, albeit some methods are different: exfiltrating payment card data from ecommerce websites. The new threat, Visa notes, is expected to continue to be used in live attacks.

Related: Magecart Attack on eCommerce Platform Hits Thousands of Online Shops

Related: Hackers Favoring Shimmers Over Skimmers for ATM Attacks

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Cybercrime

Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Cybercrime

Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.