Visa has identified a new type of JavaScript skimmer in
the wild that can erase itself from HTML code after execution.
The malware, named Pipka, was found running on several
eCommerce websites in the United States. While the basic working principle
behind this JavaScript skimmer is not new, its ability to delete itself after execution
caught the attention of security professionals.
Pipka was actually running on a website already infected
with another skimmer, named Inter. Pipka lets attackers see what form fields
are parsed and extracted, and that includes incredibly important data such as
payment account number, expiration date, CVV, and cardholder name and address.
“The most interesting and unique aspect of Pipka is its
ability to remove itself from the HTML code after it is successfully executed.
This enables Pipka to avoid detection, as it is not present within the HTML
code after initial execution,” says
Visa. “This is a feature that has not been previously seen in the wild, and
marks a significant development in JavaScript skimming.”
Moreover, Pipka is not a proof of concept. It was already
running in the wild when the researchers from Visa Payment Fraud Disruption’s
(PFD) eCommerce Threat Disruption (eTD) program found it. Which only means that
it might be more widespread.
Users have few choices when it comes to JavaScript
skimmers, as the process is invisible to them. However, they can safeguard
against such problems by installing security software, using multi-factor
authentication, enabling alerts for credit cards, and sticking only to known
websites that employ 3-D Secure (Visa only.)