Pipka – New JavaScript Skimmer that Attacks eCommerce Website to Steal Payment Card Details

A new JavaScript skimmer dubbed Pipka attacks eCommerce websites to steal the payment data entered into online payment forms of the websites. It extracts details such as payment account number, expiration date, CVV, and cardholder name and address, from the checkout pages.

The Pipka found to be installed on more than sixteen eCommerce websites, the attack campaign detected by Visa Payment Fraud Disruption’s (PFD) eCommerce Threat Disruption (eTD) program.

Pipka Play Around Stealthy

The use of web skimmers emerges as a turnkey business for cybercriminals and they continue to target online stores to exfiltrate users’ payment card details.

Pipka has a special ability when compared to other online skimmers, it is capable of removing itself from the HTML codes of the compromised website once it completes the execution.

This new interesting feature gives pipka an ability to play around stealthy and it marks a significant development in JavaScript skimming.

Threat actors behind pipka inject the skimmer script directly into the targeted eCommerce website, once executed it harvests data from the forms entered. The harvested data is base64 encoded and encrypted using ROT13 cipher.

Before sending the data to the attacker server, it checks for the uniqueness of the data string to avoid duplicate data. The following are the targeted payment account number fields.

  • authorizenet_cc_number
  • ctl00_PageContent_tbCardNumber
  • input-cc-number
  • cc_number
  • paypal_direct_cc_number
  • ECommerce_DF_paymentMethod_number
  • input[id$=\x27_CardNumber\x27]

PFD found Pipka on the North American merchant website that was previously infected by Inter, another JavaScript skimmer.

Pipka Sample Script

Pipka lets attackers customize for specific form fields to skim data. One Sample observed by PFD “target two-step checkout pages that collect billing data on one page and payment account data on another.”

Another notable feature is anti-forensics ability, whenever the skimmer executes it calls for a start process function, which all calls for a clear function ability. The clear function locates for the skimmer script tag and removes it immediately.

This function makes analysis so difficult as the script gets removed immediately and it is the first time self-cleaning feature available with JavaScript skimmers.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates.

Gurubaran

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Recent Posts

Nearest Neighbor Attacks: Russian APT Hack The Target By Exploiting Nearby Wi-Fi Networks

Recent research has revealed that a Russian advanced persistent threat (APT) group, tracked as "GruesomeLarch"…

1 day ago

240+ Domains Used By PhaaS Platform ONNX Seized by Microsoft

Microsoft's Digital Crimes Unit (DCU) has disrupted a significant phishing-as-a-service (PhaaS) operation run by Egypt-based…

2 days ago

Russian TAG-110 Hacked 60+ Users With HTML Loaded & Python Backdoor

The Russian threat group TAG-110, linked to BlueDelta (APT28), is actively targeting organizations in Central…

2 days ago

Earth Kasha Upgraded Their Arsenal With New Tactics To Attack Organizations

Earth Kasha, a threat actor linked to APT10, has expanded its targeting scope to India,…

2 days ago

Raspberry Robin Employs TOR Network For C2 Servers Communication

Raspberry Robin, a stealthy malware discovered in 2021, leverages advanced obfuscation techniques to evade detection…

2 days ago

145,000 ICS Systems, Thousands of HMIs Exposed to Cyber Attacks

Critical infrastructure, the lifeblood of modern society, is under increasing threat as a new report…

2 days ago