Web payment card skimmers add anti-forensics capabilities
The new threat on the block
Web skimming is the theft of payment card details from ecommerce websites through malicious scripts injected into them. The scripts are typically injected into the checkout pages to siphon off card information as it is entered by buyers into web forms.
This type of attack has become popular over the past few years, with the rise of one particular skimmer called Magecart that over a dozen groups use. Despite using the same skimmer, these groups employ different techniques and methods to inject their malicious code into websites and keep it hidden.
Some exploit known vulnerabilities. Others compromise legitimate third-party scripts that are loaded into websites, like those for web analytics services, and there is evidence that some groups are compromising routers used to set up Wi-Fi hotspots in airports and other public spaces to inject their code into legitimate traffic.
Researchers have even found evidence that links some of the Magecart groups with sophisticated cybercrime groups like Cobalt and FIN6 that have historically targeted the infrastructure of banks and retailers. This suggests web skimming is profitable enough to be on the radar of well-established criminal gangs that have already stolen hundreds of millions of dollars from organizations worldwide.
It's then no surprise that other web skimmers like Inter and now Pipka have started to appear to compete with Magecart and some of them have started being sold as commodities on underground markets. With no shortage of methods of compromising websites, researchers expect that web skimming attacks will continue.
What makes Pipka different
According to Visa PFD's analysis, Pipka is customizable, attackers being able to configure which form fields they want to steal data from. The stolen data is stored in a cookie in encrypted form and is then exfiltrated to a command-and-control server.
The skimmer can target two-step checkout pages by having configurable fields for both billing data and payment account data. Its most interesting feature, however, is its ability to delete itself from the page after successful execution.
"When the skimmer executes, on script load, it calls the start function which calls the clear function and sets the skimmer to look for data every second," the Visa researchers said in their security alert. "The clear function locates the skimmer's script tag on the page and removes it. Since this happens immediately after the script loads, it is difficult for analysts or website administrators to spot the code when visiting the page."
This type of self-removal routine has been used in desktop malware, but this is the first time it's been observed in web skimmers, which marks "a significant development" in this type of attack, the Visa researchers said.
Visa PFD advises administrators to add recurring checks in their ecommerce environments for communications with known command-and-control servers used by skimmers, to regularly scan their sites for vulnerabilities or malware, to vet their content delivery networks and the third-party code loaded by partners into their websites, to ensure their shopping cart software and other services are up-to-date and patched, to use strong administrative passwords and limit access to the administrative portal and to consider using an external checkout solution where customers enter their payment details on another webpage instead of the merchant's site.