Visa specialists discovered a previously unknown malicious script that steals bankcard data from online stores. The malware, called Pipka, also has a unique ability – it can delete itself from an infected site.Skimmer Pipka found at least on 16 sites involved in online trading.
Experts found that the skimmer hunts for bankcard numbers, CVV, PayPal credentials and other financial information, depending on the structure of the target site. One of the program options, which fell into the hands of researchers, coped with a two-stage input of information when billing data is requested on different pages.
Researchers were surprised by the ability of the malware to clear itself from the HTML code of an infected online store. As soon as the script is uploaded to the site, it clears all its tags, without leaving visible traces of the presence in the system.
This behavior seriously complicates the detection of Pipka by both the security tools and the resource administrators.
The malicious script transfers the collected data to the command server, having previously encoded it with the ROT13 cipher and with Base64. Before sending the next batch of information, the program checks to see if it downloaded this information earlier in order to avoid duplication of data.
The cybercampaign, recorded in September of this year, affected web resources located in North America. One of the sites infected with Pipka was previously infected with the Inter skimmer, but experts do not dare to claim that the same author wrote both programs.