Visa issued a prenotice for a new JavaScript skimmer known as Baka, which will be flushed from memory after the stolen ones are removed data.
The credit card theft script was discovered by researchers at Visa's initiative Payment Fraud Disruption (PFD) in February 2020 while examining a command and control (C2) server hosting an ImageID skaming kit.
Last year, Visa discovered another skimmer JavaScript known as Pipka which quickly spread to online stores after it was first spotted on an e-commerce site of North American organizations in September 2019.
Avoid detection and analysis
Apart from the regular basics possibilities scanning features such as configurable target form fields and data extraction using image requests, Baka also features an advanced design that suggests it is the project of a skilled malicious developer software and comes with a unique obfuscation method.
Baka was detected by Visa in several online stores from various countries and observed during injection into compromised e-commerce stores by jquery-cycle [.] Com, b-metric [.] Com, apienclave [.] Com, quicdn [.] com, apisquere [.] com, ordercheck [.] online and pridecdn [.] com domains.
The skimmer is added to the merchants' purchase pages, using a script tag, and the loader uses it to download the skimming code from the C2 server to run it in memory.
This allows intruders to make sure that the password used to collect customer data will not be found when parsing files hosted on the merchant's server or client's computer.
Baka is also the first malware JavaScript (detected by Visa) and uses an XOR cipher to disguise the skimming code received from the C2 server.
Visa recommends that member financial institutions, e-commerce merchants, service providers, third party suppliers and resellers refer to the document What to do in a breach (WTDIC) for instructions if their payment systems are breached.
The company also shared the list of bestsellers practices for securing e-commerce platforms, as described by the PCI Security Standards Board.