PIPKA : A New JavaScript Skimmer Found in E-Commerce

Context:

The Pipka skimmer malware has been found to have infected at least 16 e-commerce websites so far. The malware tries to evade detection by removing itself from the HTML code of a compromised website after successful execution. Researchers at Visa’s eCommerce Threat Disruption (eTD) program found a new JavaScript skimmer called ‘Pipka.’ In this article, we will be learning about What is Pipka Skimmer and how can the attack be mitigated at a common man’s level.

Contents:

1. What’s Pipka?
2. What does it extract?
3. How does Pipka Skimmer Extract?
4. Impact of Pipka Skimmer
5. How to mitigate the attack?

What’s Pipka?

Magecart attacks have been in news recently in the eCommerce world globally this year. A new advanced threat is in the news, which is strikingly similar to Magecart attacks and arguably more sophisticated- Pipka.

Security researchers at Visa’s Payment Fraud Disruption Group have spotted a new and unique JavaScript payment card skimming malware named Pipka, which has been found to have infected at least 16 e-commerce websites so far. Pipka, the skimmer was discovered on an e-commerce website previously infected with the JavaScript skimmer known as Inter.

After execution, the Pipka JavaScript skimmer removes itself from the HTML code of the compromised website, thereby decreasing the likelihood of detection. Visa said it had not seen anything like this before, and it’s proof that cybercriminals are getting more sophistical in the way they are carrying out attacks by the day.

What does it extract?

Pipka is a JavaScript skimmer that targets payment information entered into eCommerce merchant websites. Pipka enables configuration of form fields that allow extraction of payment card details such as payment account number, expiration date, CVV, and cardholder name and address, from the checkout pages of the targeted eCommerce website.

Much like other website skimmers, the code targets payment data entered into payment forms on e-commerce websites. The malicious code extracts payment data, including- name, account number, expiration dates, and CVV.

How does Pipka skimmer Extract?

Pipka Skimmer has advanced tactics to avoid detection. The most interesting and unique aspect of Pipka is its ability to remove itself from the HTML code after successful execution, researches said. Henceforth, you can never see if it if you looked for it in an unusual way.

Pipka finds out a vulnerable website and is injected into the checkout form code, ready to steal any data entered into the form. The data is base64 encoded and encrypted using ROT13 cipher and checks for duplicate data. Once the checks are carried out, the data is exfiltrated to an external server. When the skimmer executes, it calls the ‘Start’ function, which looks for data every second and then calls upon the ‘Clear’ function, which locates the skimmer script tag and removes it, ending up in cleaning up itself.

For example, all A’s are replaced with N’s; all B’s are replaced with O’s and so on. For clarification, refer below:

ABCDEFGHIJKLMNOPQRSTUVWXYZ

NOPQRSTUVWXYZABCDEFGHIJKLM

Further, Pipka checks if the data string was previously sent to avoid data duplication. If the data string is unique, then data is fetched and sent to a command and control (C2) server. Pipka’s self-cleaning begins as soon as the initial script loads, becoming difficult to detect its presence on a compromised web page.

The malware is designed in such a way that a sample is customized to target two-step checkout pages that collect billing data on one page and payment account data on another.

Impact of Pipka skimmer:

Negative Brand reputation is the most noticeable impact of the attacks. In addition to the overall brand retribution, companies have to handle unhappy customers successfully and deal with their pain and inconvenience of card information being stolen. Pipka Skimmer has compromised 16 eCommerce websites to date.

The protection for consumers ultimately falls far from the eCommerce company. The companies that are vulnerable to malware attacks are victimized and fined heavily for their poor security practices.

How to mitigate the attack?

1. Examine your web traffic to know if you are targeted.
2. Look for website vulnerabilities, whether you can access to make website changes, and have the ability to add 3rd party vendors.
3. By implementing checks in eCommerce environments for potential communications with the C2 servers.
4. Beware of the code integrated via service providers.
5. Close vet utilized Content Delivery Networks (CDN) regularly.
6. Examine access control to Admin users.
7. Regularly scan and test eCommerce sites for malware vulnerabilities.
8. Never drop down the firewall of antispyware malware.
9. Make sure other integrations are all upgraded and patched.
10. Contact the trusted authority (Visa) immediately if you suspect your website is infected.
11. Limit access to the administrative portal and the accounts needing them.
12. Regularly ensure shopping carts or other services are upgraded or patched.

The result of Pipka is, however, similar to any other skimmer, except for some methods like – exfiltrating payment card data from e-commerce merchant websites.

It is very obvious that Pipka will continue to be used by threat actors to compromise the e-commerce merchant websites and harvest payment account data. The right thing to do is to limit access to the administrative portals as well as implement a security shield on the website. For the safety of users, they need to ensure that the shopping carts are upgraded or patches regularly; if not, contact the e-commerce merchant immediately for details.

To know more about day-to-day cyber-attacks/ threats, and how to mitigate them, go to the Security Awareness Blog for more information. That was all about Pipka Skimmer, if any further details encountered will be put up sooner. Bringing me back to the recent ransomware attack – Ransomware Attack: Hackers Demand $5 Million From Mexico’s State-Oil Firm. The hack detected on Sunday (November 10) by Premex, and the company was forced to shut down its computers across Mexico. Premex encountered with a darknet affiliated with ‘DoppelPaymer’ (a type of ransomware). To know more, visit here!!

Stay Updated. Stay Protected!