What does it extract?
Pipka enables configuration of form fields that allows extraction of payment card details such as payment account number, expiration date, CVV, and cardholder name and address, from the checkout pages of the targeted eCommerce website.
How does it extract?
According to PFD, the skimmer checks the payment account number form field and injects Pipka in various locations of the targeted website. Once executed, it collects the data from the configured form fields and perform a base64 encoding on it. This encoded data is further encrypted using ROT13 cipher. The ROT13 cipher is a substitution cipher with a specific key where the letters of the alphabet are offset 13 places.
For example, all ‘A’s are replaced with ‘N’s, all ‘B’s are replaced with ‘O’s, and so on. For more clarification refer the below substitution key:
It can also be thought of as a Caesar cipher with a shift of 13.
Further, Pipka checks if the data string was previously sent to avoid data duplication. If the data string is unique, then data is fetched and sent to a command and control (C2) server. Pipka’s self-cleaning begins as soon as the initial script loads. This is exactly the reason why it is so difficult to detect its presence on a compromised web page.
What are its effects?
Sam Cleveland, senior analyst at Visa’s PFD team, says Visa presently is unable to provide any information on payment card fraud or theft related to Pipka. “Visa does not have this information to share due to this being an ongoing investigation,” Cleveland says. But as per the payment card information harvested, cybercriminals can carry out financial frauds and identity theft related crimes.
What mitigation measures can be taken?
Visa has listed the following measures and asked eCommerce websites to strictly adhere to it:
- Implement recurring checks in eCommerce environments for potential communications with the C2 servers
- Be vigilant about the code integrated into eCommerce environments via service providers.
- Keep a close eye on the Content Delivery Networks (CDN)
- Regularly scan and test eCommerce sites for vulnerabilities or malware
- Ensure third-party services and other integrations are all upgraded and patched
- Exercise access control to Admin users