Pipka skimmer can delete itself from an infected site

William Reddy
Pipka can delete itself

Visa specialists discovered a previously unknown malicious script that steals bankcard data from online stores. The malware, called Pipka, also has a unique ability – it can delete itself from an infected site.

Skimmer Pipka found at least on 16 sites involved in online trading.

“A malicious JavaScript script can be customized to a specific web resource”, – report VISA information security experts.

Experts found that the skimmer hunts for bankcard numbers, CVV, PayPal credentials and other financial information, depending on the structure of the target site. One of the program options, which fell into the hands of researchers, coped with a two-stage input of information when billing data is requested on different pages.

Read also: Adobe patched 11 vulnerabilities in its web design tools

Researchers were surprised by the ability of the malware to clear itself from the HTML code of an infected online store. As soon as the script is uploaded to the site, it clears all its tags, without leaving visible traces of the presence in the system.

“The most interesting and unique aspect of Pipka is its ability to remove itself from the HTML code after it is successfully executed. This enables Pipka to avoid detection, as it is not present within the HTML code after initial execution. This is a feature that has not been previously seen in the wild,and marks a significant development in JavaScript skimming”, — write Visa specialists.

This behavior seriously complicates the detection of Pipka by both the security tools and the resource administrators.

The malicious script transfers the collected data to the command server, having previously encoded it with the ROT13 cipher and with Base64. Before sending the next batch of information, the program checks to see if it downloaded this information earlier in order to avoid duplication of data.

The cybercampaign, recorded in September of this year, affected web resources located in North America. One of the sites infected with Pipka was previously infected with the Inter skimmer, but experts do not dare to claim that the same author wrote both programs.

Analysts also did not name the engine on which the infected sites worked. In early October, information security experts found a skimmer on the Magento solution developer site. An information thief intercepted the payment data of Extendware plugin buyers, and could also be embedded in the source code of extensions downloaded from the repository.
Exit mobile version