Visa has identified a new type of JavaScript skimmer in the wild that can erase itself from HTML code after execution.
The malware, named Pipka, was found running on several eCommerce websites in the United States. While the basic working principle behind this JavaScript skimmer is not new, its ability to delete itself after execution caught the attention of security professionals.
Pipka was actually running on a website already infected with another skimmer, named Inter. Pipka lets attackers see what form fields are parsed and extracted, and that includes incredibly important data such as payment account number, expiration date, CVV, and cardholder name and address.
“The most interesting and unique aspect of Pipka is its ability to remove itself from the HTML code after it is successfully executed. This enables Pipka to avoid detection, as it is not present within the HTML code after initial execution,” says Visa. “This is a feature that has not been previously seen in the wild, and marks a significant development in JavaScript skimming.”
Moreover, Pipka is not a proof of concept. It was already running in the wild when the researchers from Visa Payment Fraud Disruption’s (PFD) eCommerce Threat Disruption (eTD) program found it. Which only means that it might be more widespread.
Users have few choices when it comes to JavaScript skimmers, as the process is invisible to them. However, they can safeguard against such problems by installing security software, using multi-factor authentication, enabling alerts for credit cards, and sticking only to known websites that employ 3-D Secure (Visa only.)
