The credit card stealing script was revealed by researchers with Visa’s Payment Fraud Disruption (PFD) initiative almost 7 months ago.
In addition to the unvarying rudimentary skimming features like configurable target form fields and data exfiltration using image requests, Baka includes a cutting-edge design representing that it is the effort of an expert malware developer.
“The skimmer loads dynamically to avoid static malware scanners and uses unique encryption parameters for each victim to obfuscate the malicious code,” Visa’s alert reads.
“PFD assesses that this skimmer variant avoids detection and analysis by removing itself from memory when it detects the possibility of dynamic analysis with Developer Tools or when data has been successfully exfiltrated.”
Baka was spotted by Visa on multiple online stores from numerous countries and it was detected while being inserted onto affected e-commerce stores from the jquery-cycle[.]com, b-metric[.]com, apienclave[.]com.
“The same encryption method as seen with the loader is used for the payload. Once executed, the skimmer captures the payment data from the checkout form.”