The Pipka script, recently discovered by researchers at Visa's Payment Fraud Disruption (PFD), is capable of self-destructing after executing its code on a website, making it very difficult to detect.
The skimmer was first found on the site of a North American retailer already infected with another skimmer called Inter. Further investigation allowed the researchers to discover that 16 other eCommerce sites had been infected with Pipka.
THE NEW THREAT ON THE BLOCK
Skimming involves stealing bank card data from eCommerce sites after injecting malicious scripts into the pages of the website. Typically, scripts are injected into payment pages to siphon credit card information as it is entered by buyers into online forms. In recent years, this kind of attack has developed a lot.
So, more than a dozen hackers groups use a well-known skimmer, called Magecart. But even if they use the same skimmer, each group has developed different techniques and methods to inject malicious code into websites and make it undetectable.
Some exploit known vulnerabilities. Others compromise legitimate third-party scripts loaded on websites, such as web analytics scripts, and there is also evidence that some groups compromise routers to configure WiFi access points in airports and other locations in order to be enabled to and inject their code into legitimate traffic.
Researchers also found links between some Magecart hackers groups and highly sophisticated cybercriminal networks like Cobalt and FIN6, which have always targeted banks and large retailers.
This suggests that web skimming remains profitable enough, including well-established cybercriminals who have stolen hundreds of millions of dollars from organizations around the world. It is not surprising then that other skimmers, such as Inter, and today Pipka, are starting to compete with Magecart, and some of them are sold on the underground markets. There is plenty of choice in hacking websites, and researchers believe that skimming attacks will continue.
WHY PIPKA IS DIFFERENT?
According to researchers, Pipka is customizable. For example, attackers can configure the form fields they want to steal. This data is stored in a cookie in encrypted form before being extracted and stored on a remote server.
In addition, Pipka is designed to allow an attacker to configure various aspects of the skimmer. An attacker can configure the specific form fields from which to skim data. These fields include a key, configured by the variable trigger or calculated for the variable curstep, that is used to store form data in a cookie for later exfiltration, the exfiltration point or gate, and a scriptId, which is an HTML ID for the skimmer script itself.
The following images display the configurable form fields within the Pipka code.
But, its most interesting feature is its ability to remove itself from the page after execution. Since this deletion function occurs immediately after the script is loaded, it is difficult for analysts or website administrators to find the code when they parse the page.
If this type of self-destruct routine has already been used in desktop malware, this is the first time we've seen it in web skimmers. Which, according to Visa researchers, indicates "significant development" in this type of attack.
As mitigation measures, Visa researchers advise administrators to add recurring checks in their e-commerce environments to identify network communications with third-parties.