Home News “Pipka” JavaScript Skimmer Targets Ecommerce Websites

“Pipka” JavaScript Skimmer Targets Ecommerce Websites

Skimming-Attack

Visa, in a security alert rung alarm bells for eCommerce websites. Researchers at Visa’s eCommerce Threat Disruption (eTD) program found a new JavaScript skimmer called “Pipka”. It has already affected 16 eCommerce websites.

eTD is a proprietary Visa solution under its Payment Fraud Disruption (PFD) program. It scans the internet to identify malicious code on merchant payment pages and provides threat notification so that affected merchants can quickly take remedial measures. During one such routine scanning procedure carried out in September, researchers stumbled upon Pipka JavaScript skimmer on a North American merchant website. According to Visa, this merchant website was earlier infected with another JavaScript skimmer Inter – and hence was specifically under eTD’s scanner.

What’s New?

After its execution, Pipka JavaScript skimmer can remove itself from the HTML code of the compromised website, thereby decreasing the likelihood of detection. Visa says that it has not seen anything like this before and it’s a proof that cybercriminals are getting more sophisticated in the way they are carrying out attacks by the day.

What does it extract?

Pipka enables configuration of form fields that allows extraction of payment card details such as payment account number, expiration date, CVV, and cardholder name and address, from the checkout pages of the targeted eCommerce website.

How does it extract?

According to PFD, the skimmer checks the payment account number form field and injects Pipka in various locations of the targeted website. Once executed, it collects the data from the configured form fields and perform a base64 encoding on it. This encoded data is further encrypted using ROT13 cipher. The ROT13 cipher is a substitution cipher with a specific key where the letters of the alphabet are offset 13 places.

For example, all ‘A’s are replaced with ‘N’s, all ‘B’s are replaced with ‘O’s, and so on. For more clarification refer the below substitution key:

ABCDEFGHIJKLMNOPQRSTUVWXYZ

↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓

NOPQRSTUVWXYZABCDEFGHIJKLM

It can also be thought of as a Caesar cipher with a shift of 13.

Further, Pipka checks if the data string was previously sent to avoid data duplication. If the data string is unique, then data is fetched and sent to a command and control (C2) server. Pipka’s self-cleaning begins as soon as the initial script loads. This is exactly the reason why it is so difficult to detect its presence on a compromised web page.

What are its effects?

Sam Cleveland, senior analyst at Visa’s PFD team, says Visa presently is unable to provide any information on payment card fraud or theft related to Pipka. “Visa does not have this information to share due to this being an ongoing investigation,” Cleveland says. But as per the payment card information harvested, cybercriminals can carry out financial frauds and identity theft related crimes.

What mitigation measures can be taken?

Visa has listed the following measures and asked eCommerce websites to strictly adhere to it:

  • Implement recurring checks in eCommerce environments for potential communications with the C2 servers
  • Be vigilant about the code integrated into eCommerce environments via service providers.
  • Keep a close eye on the Content Delivery Networks (CDN)
  • Regularly scan and test eCommerce sites for vulnerabilities or malware
  • Ensure third-party services and other integrations are all upgraded and patched
  • Exercise access control to Admin users

Visa also informed its merchants to contact them immediately in case the Pipka JavaScript skimmer does infect their website even after taking preventive measures.