Pipka was first identified on an unnamed North American merchant website and researchers since then identified sixteen additional unnamed websites compromised by the skimmer (Threatpost has reached out to researchers for further information on the name of victim sites).
“We are not identifying merchants by name or sector but they are comprised of small to medium sized businesses. All impacted merchants have been alerted,” Sam Cleveland, senior analyst on the Payment Fraud Disruption team at Visa told Threatpost.
Researchers said that the skimmer is injected directly into varying locations on the targeted merchant’s website and, once executed, harvests the data in the configured form fields. The skimmer checks for these configured fields before executing; specifically, Pipka is configured to check for the “payment account number” field. Then, Pipka checks that the data string was not previously sent to avoid sending duplicate data, and exfiltrates the payment card data to a command and control (C2) server.
Researchers said that Pipka includes some unique features not previously observed – the most interesting centering around anti-forensics.
When the skimmer executes, it calls the start function, which in turn calls the clear function and sets the skimmer to look for data every second. Immediately after the script loads, the clear function locates the skimmer’s script tag on the page and removes it – making it difficult for analysts or website administrators to spot the code when visiting the page.
Before sending exfiltrated data to the C2 server, the skimmer also uses ROT13 encoding to encrypt the stolen data. An ROT13 cipher is a letter substitution cipher that replaces the 13th letter of text for encryption purposes. While the use of a ROT13 cipher has been observed before, it was implemented on the exfiltration C2 server, not in the skimmer itself, researchers said.
Web skimmers have been a favorite of cybercriminals over the past year.
The most infamous example is Magecart, which has made headlines over the past year or so for high-profile breaches of companies like VisionDirect, Ticketmaster and more, is known for its use of web-based, digital card skimmers, using scripts injected into websites to steal data that’s entered into online payment forms on e-commerce websites directly or through compromised third-party suppliers used by these sites. More recently, the Magecart threat group continued its offensive with two newly disclosed breaches targeting bedding retailers MyPillow and Amerisleep.
And in July, malicious domains masquerading as Google sites were discovered being used by payment card-skimming adversaries looking to dupe website visitors.
“Online credit card skimming differs from the physical skimming practices most people have heard about in that there isn’t an obvious way the average person will be able to identify if or when a web site has been compromised,” Tim Mackey, principal security strategist with Synopsys said in an email. “The only potential tell-tale sign might be that the website itself doesn’t quite look ‘right,’ though more sophisticated attacks can make even differentiating between a fake site and a legitimate one challenging.”
Visa researchers recommended that websites institute recurring checks in eCommerce environments for C2 communications; ensure familiarity with code integrated into eCommerce environments and closely vet Content Delivery Networks.
Is MFA enough to protect modern enterprises in the peak era of data breaches? How can you truly secure consumer accounts? Prevent account takeover? Find out: Catch our free, on-demand Threatpost webinar, “Trends in Fortune 1000 Breach Exposure” to hear advice from breach expert Chip Witt of SpyCloud. Click here to register.