New Javascript Skimmer ‘Pipka’ Found Targeting E-commerce Websites

• The malware has been found to have infected at least 16 e-commerce websites so far.
• The malware tries to evade detection by removing itself from the HTML code of a compromised website after it successfully executes.

Security researchers have spotted a new and unique JavaScript payment card-skimmer named Pipka. The malware has been found to have infected at least 16 e-commerce websites so far.

First appearance

Security researchers at Visa’s Payment Fraud Disruption Group first identified the malware on a North American merchant website in September 2019. Upon further investigation, it was found that the malware was responsible for compromising at least sixteen more e-commerce sites.

Unique characteristics

In a security alert, researchers described the self-cleaning mechanism as something unique to Pipka. The malware tries to evade detection by removing itself from the HTML code of a compromised website after it successfully executes.

“The most interesting and unique aspect of Pipka is its ability to remove itself from the HTML code after it is successfully executed. This enables Pipka to avoid detection, as it is not present within the HTML code after initial execution. This is a feature that has not been previously seen in the wild and marks a significant development in JavaScript skimming,” researchers note.

What can it steal?

• Visa’s alert notes that threat actors are injecting Pipka directly into different locations on e-commerce sites.
• Just like Inter and other electronic card skimmers, Pipak is designed to steal payment card details of users from the check out pages of e-commerce sites. The details include cardholder numbers, payment card account numbers, expiration dates, CVV numbers, and other several sensitive data.
• Attackers can further configure Pipka to captures data from specific fields that individuals enter when making a purchase on an e-commerce site.
• The malware is designed in such a way that one sample is customized to target two-step checkout pages that collect billing data on one page and payment account data on another.

What next?

The harvested data is base64 encoded and encrypted using a cipher ROT13. This encrypted data is then stored in a cookie for later exfiltration to a remote command and control server.

Worth noting

Researchers claim that Pipka will continue to be used by threat actors to compromise e-commerce merchant websites and harvest payment account data. Thus online retailers should regularly scam and test their websites for vulnerabilities or malware. They should also limit access to the administrative portal as well as implement best security practices on the website.

Users, on the other hand, should regularly ensure that shopping cart, other services, and all software are upgraded or patched. They should also enable two-factor authentication as an added protection layer.