Visa has warned of a new JavaScript e-commerce skimmer dubbed Baka that will eliminate itself from memory following exfiltration of pilfered data.
The credit card stealing script was revealed by researchers with Visa’s Payment Fraud Disruption (PFD) initiative almost 7 months ago.
In 2019, Visa exposed another JavaScript web skimmer called Pipka that rapidly spread to the online stores of at least 16 additional merchant websites after being primarily marked on the e-commerce site of North American organizations in September last year.
In addition to the unvarying rudimentary skimming features like configurable target form fields and data exfiltration using image requests, Baka includes a cutting-edge design representing that it is the effort of an expert malware developer.
“The skimmer loads dynamically to avoid static malware scanners and uses unique encryption parameters for each victim to obfuscate the malicious code,” Visa’s alert reads.
“PFD assesses that this skimmer variant avoids detection and analysis by removing itself from memory when it detects the possibility of dynamic analysis with Developer Tools or when data has been successfully exfiltrated.”
Baka was spotted by Visa on multiple online stores from numerous countries and it was detected while being inserted onto affected e-commerce stores from the jquery-cycle[.]com, b-metric[.]com, apienclave[.]com.
“The skimming payload decrypts to JavaScript written to resemble code that would be used to render pages dynamically,” Visa explained.
“The same encryption method as seen with the loader is used for the payload. Once executed, the skimmer captures the payment data from the checkout form.”