Visa Warns of New JavaScript Skimmer ‘Pipka’

A new JavaScript skimmer targets data entered into the payment forms of ecommerce merchant websites, Visa Payment Fraud Disruption (PFD) warns.

Dubbed Pipka, the skimmer was discovered on an ecommerce website previously infected with the JavaScript skimmer known as Inter, but it has infected at least sixteen other merchant websites as well.

What sets Pipka apart from other skimmers is the fact that it has the ability to remove itself from the compromised HTML code after execution, in an effort to avoid detection, Visa notes in a security alert (PDF).

The skimmer allows operators to configure the form fields to be parsed and extracted from the targeted checkout pages, including payment account number, expiration date, CVV, and cardholder name and address. Before execution, the code checks for these configured fields.

Directly injected at different locations on the compromised websites, the skimmer harvests data from the targeted fields, then encodes it in base64, encrypts it and exfiltrates it, but not before checking if the data string was previously sent to the command and control (C&C) server.

One of the analyzed samples was designed to target two-step checkout pages, where billing data and payment account data is collected on different pages.

The skimmer shows a focus on anti-forensics, by calling a function that clears the skimmer’s script tag from the page immediately after the script loads, thus making it difficult for analysts or website administrators to notice the code.

“The most interesting and unique aspect of Pipka is its ability to remove itself from the HTML code after it is successfully executed. This enables Pipka to avoid detection, as it is not present within the HTML code after initial execution. This is a feature that has not been previously seen in the wild, and marks a significant development in JavaScript skimming,” Visa points out.

Pipka also attempts to hide the exfiltration by using an image GET request for this operation. Unlike other skimmers, however, it does not remove the image tag immediately, but sets the onload attribute of the image tag to remove the image tag once the JavaScript code is loaded.

The end result of Pipka, however, is the same as with any other skimmer, albeit some methods are different: exfiltrating payment card data from ecommerce websites. The new threat, Visa notes, is expected to continue to be used in live attacks.

Related: Magecart Attack on eCommerce Platform Hits Thousands of Online Shops

Related: Hackers Favoring Shimmers Over Skimmers for ATM Attacks