The Pipka found to be installed on more than sixteen eCommerce websites, the attack campaign detected by Visa Payment Fraud Disruption’s (PFD) eCommerce Threat Disruption (eTD) program.
Pipka Play Around Stealthy
The use of web skimmers emerges as a turnkey business for cybercriminals and they continue to target online stores to exfiltrate users’ payment card details.
Pipka has a special ability when compared to other online skimmers, it is capable of removing itself from the HTML codes of the compromised website once it completes the execution.
Threat actors behind pipka inject the skimmer script directly into the targeted eCommerce website, once executed it harvests data from the forms entered. The harvested data is base64 encoded and encrypted using ROT13 cipher.
Before sending the data to the attacker server, it checks for the uniqueness of the data string to avoid duplicate data. The following are the targeted payment account number fields.
Pipka lets attackers customize for specific form fields to skim data. One Sample observed by PFD “target two-step checkout pages that collect billing data on one page and payment account data on another.”
Another notable feature is anti-forensics ability, whenever the skimmer executes it calls for a start process function, which all calls for a clear function ability. The clear function locates for the skimmer script tag and removes it immediately.