Pipka skimmer can delete itself from an infected site

Visa specialists discovered a previously unknown malicious script that steals bankcard data from online stores. The malware, called Pipka, also has a unique ability – it can delete itself from an infected site.

Skimmer Pipka found at least on 16 sites involved in online trading.

“A malicious JavaScript script can be customized to a specific web resource”, – report VISA information security experts.

Experts found that the skimmer hunts for bankcard numbers, CVV, PayPal credentials and other financial information, depending on the structure of the target site. One of the program options, which fell into the hands of researchers, coped with a two-stage input of information when billing data is requested on different pages.

Read also: Adobe patched 11 vulnerabilities in its web design tools

Related Articles

Researchers were surprised by the ability of the malware to clear itself from the HTML code of an infected online store. As soon as the script is uploaded to the site, it clears all its tags, without leaving visible traces of the presence in the system.

“The most interesting and unique aspect of Pipka is its ability to remove itself from the HTML code after it is successfully executed. This enables Pipka to avoid detection, as it is not present within the HTML code after initial execution. This is a feature that has not been previously seen in the wild,and marks a significant development in JavaScript skimming”, — write Visa specialists.

This behavior seriously complicates the detection of Pipka by both the security tools and the resource administrators.

The malicious script transfers the collected data to the command server, having previously encoded it with the ROT13 cipher and with Base64. Before sending the next batch of information, the program checks to see if it downloaded this information earlier in order to avoid duplication of data.

The cybercampaign, recorded in September of this year, affected web resources located in North America. One of the sites infected with Pipka was previously infected with the Inter skimmer, but experts do not dare to claim that the same author wrote both programs.

Analysts also did not name the engine on which the infected sites worked. In early October, information security experts found a skimmer on the Magento solution developer site. An information thief intercepted the payment data of Extendware plugin buyers, and could also be embedded in the source code of extensions downloaded from the repository.

William Reddy

I am from Ireland. My parents bought me a computer when I was 11, and several month after I have got a virus on this PC. I decided to enter the INSA Centre Val de Loire university after being graduated from the school. This French educational institution was offering a brand-new cybersecurity course. After getting the master degree in cybersecurity, I've started working in as virus analyst in a little anti-malware vendor. In 2018, I've decided to start Virus Removal project. The main target of this site is to help people to deal with PC viruses of any kind.

Leave a Reply

Your email address will not be published. Required fields are marked *


Back to top button