Saturday , September 26 2020
Home / Security / Web payment card skimmers add anti-forensics capabilities

The newly discovered Pipka script can delete itself from a website after execution, making it very difficult to detect.

Web payment card skimmers add anti-forensics capabilities


CSO Senior Writer,


Researchers have detected compromises on ecommerce sites with a new JavaScript-based payment card skimmer that uses anti-forensics techniques, including the ability to remove itself from the web page’s code after execution. Dubbed Pipka, the malicious script was found by researchers from Visa’s Payment Fraud Disruption (PFD) team on the site of a North American merchant that had been previously infected with a different skimmer called Inter. Further investigation uncovered another 16 online merchant sites infected with Pipka.

[ Get inside the mind of a hacker, learn their motives and their malware. | Sign up for CSO newsletters! ]

Web skimming is the theft of payment card details from ecommerce websites through malicious scripts injected into them. The scripts are typically injected into the checkout pages to siphon off card information as it is entered by buyers into web forms.

This type of attack has become popular over the past few years, with the rise of one particular skimmer called Magecart that over a dozen groups use. Despite using the same skimmer, these groups employ different techniques and methods to inject their malicious code into websites and keep it hidden.

Some exploit known vulnerabilities. Others compromise legitimate third-party scripts that are loaded into websites, like those for web analytics services, and there is evidence that some groups are compromising routers used to set up Wi-Fi hotspots in airports and other public spaces to inject their code into legitimate traffic.

Researchers have even found evidence that links some of the Magecart groups with sophisticated cybercrime groups like Cobalt and FIN6 that have historically targeted the infrastructure of banks and retailers. This suggests web skimming is profitable enough to be on the radar of well-established criminal gangs that have already stolen hundreds of millions of dollars from organizations worldwide.

It’s then no surprise that other web skimmers like Inter and now Pipka have started to appear to compete with Magecart and some of them have started being sold as commodities on underground markets. With no shortage of methods of compromising websites, researchers expect that web skimming attacks will continue.

According to Visa PFD’s analysis, Pipka is customizable, attackers being able to configure which form fields they want to steal data from. The stolen data is stored in a cookie in encrypted form and is then exfiltrated to a command-and-control server.

The skimmer can target two-step checkout pages by having configurable fields for both billing data and payment account data. Its most interesting feature, however, is its ability to delete itself from the page after successful execution.

“When the skimmer executes, on script load, it calls the start function which calls the clear function and sets the skimmer to look for data every second,” the Visa researchers said in their security alert. “The clear function locates the skimmer’s script tag on the page and removes it. Since this happens immediately after the script loads, it is difficult for analysts or website administrators to spot the code when visiting the page.”

This type of self-removal routine has been used in desktop malware, but this is the first time it’s been observed in web skimmers, which marks “a significant development” in this type of attack, the Visa researchers said.

Visa PFD advises administrators to add recurring checks in their ecommerce environments for communications with known command-and-control servers used by skimmers, to regularly scan their sites for vulnerabilities or malware, to vet their content delivery networks and the third-party code loaded by partners into their websites, to ensure their shopping cart software and other services are up-to-date and patched, to use strong administrative passwords and limit access to the administrative portal and to consider using an external checkout solution where customers enter their payment details on another webpage instead of the merchant’s site.

More on payment card fraud:

This story, “Web payment card skimmers add anti-forensics capabilities” was originally published by


Lucian Constantin is a senior writer at CSO, covering information security, privacy, and data protection.

Copyright © 2019 IDG Communications, Inc.


About IT News Ug

Check Also

Apple finally releases first macOS ‘Big Sur’ public beta

Though Apple had said it would deliver the public beta of its upcoming OS in July, that month came and went without a release.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.