7 September 2020

Visa warns of a new sophisticated “Baka” JavaScript skimmer


Visa warns of a new sophisticated “Baka” JavaScript skimmer

Visa has released a security alert regarding a new advanced e-skimmer dubbed “Baka” that implements new features to evade detection and is able to remove itself once payment card details have been exfiltrated.

The new malware was discovered by researchers with Visa’s Payment Fraud Disruption (PFD) initiative in February 2020 while analyzing a command and control (C2) server that was previously observed hosting the ImageID skimmer variant. Although the skimmer itself is basic and contains features common for many e-commerce skimming kits, such as data exfiltration using image requests and configurable target form fields, Baka has some advanced capabilities suggesting it was developed by a skilled malware author.

“The most compelling components of this kit are the unique loader and obfuscation method. The skimmer loads dynamically to avoid static malware scanners and uses unique encryption parameters for each victim to obfuscate the malicious code. PFD assesses that this skimmer variant avoid s detection and analysis by removing itself from memory when it detects the possibility of dynamic analysis with Developer tools or when data has been successfully exfiltrated,” the warning said.

PFD researchers found the Baka skimmer on several merchant websites across the world that are using Visa’s eTD capability.

The Baka loader works by by dynamically adding a script tag to the current page. This script tag, in turn, loads a remote JavaScript file from the URL, which is stored encrypted in the loader script. The attacker can change the URL for each victim, Visa notes.

When a user visits the merchant’s checkout page, the loader retrieves and executes the malicious skimming code, which decrypts to JavaScript written to resemble code that would be used to render pages dynamically. Once executed, the skimmer captures the payment data from the checkout form.

“To further prevent detection, Baka uses an XOR cipher to encrypt hard -coded values and obfuscate the skimming code delivered by the C2. While the use of an XOR cipher is not new, this is the first time Visa has observed its use in JavaScript skimming malware. The developer of this malware kit uses the same cipher function in the loader and the skimmer,” according to the warning.

Visa's security alert also provides Indicators of Compromise (IoC) and best practices and mitigation measures that organizations can implement to defend themselves from this new threat.

Back to the list

Latest Posts

Palmerworm cyber-spies hide in compromised networks for months

Palmerworm cyber-spies hide in compromised networks for months

A new espionage campaign targets companies in Japan, Taiwan, the U.S., and China.
30 September 2020
Healthcare provider UHS hit by a ransomware attack

Healthcare provider UHS hit by a ransomware attack

The cause of the incident is believed to be the Ryuk ransomware.
29 September 2020
Apple fixed four dangerous vulnerabilities in macOS

Apple fixed four dangerous vulnerabilities in macOS

Exploitation of some of the problems allows arbitrary code execution on the system.
28 September 2020