This newly discovered skimmer, dubbed "Pipka," has the ability to remove itself from the HTML of a compromised payment website after it executes, enabling it to avoid security detection, according to the Visa researchers.
After first finding Pipka, the Visa researchers discovered the skimmer on at least 16 other online checkout pages at e-commerce sites. As with other skimmers, Pipka is designed to extract payment card account number, expiration date, card verification value number, cardholder name and address, according to the report.
Rash of Skimmer Attacks
Munson notes, however, that the Visa researchers have not found evidence that the Pipka malware is available for sale or rent on dark net sites. "The malware was configured consistently across the attacks, and Visa's payment fraud disruption team believes the infections are from a single actor or group of actors," Munson says.
And while Visa hasn't attributed Pipka to a particular cybercriminal group, other security researchers, such as RiskIQ, have attributed the increase in these types of skimming attacks to Magecart, an umbrella organization consisting of about a dozen criminal groups that has been increasingly active over the last year in targeting e-commerce sites to syphon off customer data.
Over the past year, RiskIQ says that 18,000 website domains have been breached using Magecart code.
Some of the major companies targeted by these attacks are British Airways, Ticketmaster and Newegg, researchers say.
In September, a security researcher uncovered credit card skimming attacks targeting websites that use a cloud-based payment platform from Volusion. One of the sites targeted during these attacks is Sesame Street Live, which has a checkout function hosted on the Volusion platform (see: Volusion Payment Platform Sites Hit by Attackers).
"The skimmer checks for these configured fields before executing, and in the cases investigated by [Visa], the skimmer is configured to check for the payment account number field," according to the alert.
Pipka double-checks the data string before sending the information back to the attackers to avoid sending duplicate data, the Visa research shows.
After the stolen data is uploaded and sent to the command-and-control server, Pipka then activates what the researchers call a "clear" function – a self-cleaning feature that removes traces of the code from the HTML, according to Visa. This makes the skimmer more difficult to detect and remove, the researchers say.
The rapid spread of these skimmers should be a security concern for online merchants, Munson says. "Regional victimology can shift quickly, which is why Visa distributed the security alert about the malware broadly," he says.
Visa suggests e-commerce sites run more frequent checks of their checkout pages to see if any code is attempting to communicate with known command-and-control servers.