Payment cards provider Visa has warned its users about a new credit card skimming malware dubbed “Baka” that can evade traditional detection methods. The skimmer was discovered by Visa’s Payment Fraud Disruption (PFD) division while analyzing a command and control (C2) server, which also found seven C2 servers hosting the Baka skimming kit.
Baka: The Unique Skimmer
Along with the basic features offered by various skimming kits, the Baka skimmer has certain advanced capabilities that helps it bypass security scanners. In addition, the skimmer can erase itself from the victim’s device’s memory after exfiltrating data.
“The most compelling components of this kit are the unique loader and obfuscation method. The skimmer loads dynamically to avoid static malware scanners and uses unique encryption parameters for each victim to obfuscate the malicious code. PFD assesses that this skimmer variant avoids detection and analysis by removing itself from memory when it detects the possibility of dynamic analysis with Developer Tools or when data has been successfully exfiltrated,” Visa said.
Indicators of Compromise
Visa observed the following seven domains hosting the Baka skimming kit:
Domain Names jquery-cycle[.]com
b-metric[.]com
apienclave[.]com
quicdn[.]com
apisquere[.]com
ordercheck[.]online
pridecdn[.]com
According to Visa’s PFD division, the skimmer performs five operations after it is injected.
- Generate a decryption function to decrypt the list of fields from which the skimmer will steal data.
- Skim the targeted fields every 100 milliseconds. When the attacker generates the skimming script for a victim, they specify which fields are targeted.
- Check if the skimmer found data every 100 milliseconds. This function then calls for data exfiltration and sets a flag called “this.load” indicating the skimmer successfully exfiltrated data.
- Check if the script should send data to the exfiltration gateway every 3 seconds. If the captured data flag is set, the exfiltration gateway URL is decrypted using the current victim merchant’s domain name as the key. The script then encodes the skimmed data into the GET parameters of the exfiltration URL.
- The last operation that is scheduled is a clean-up function. If data is exfiltrated, the clean-up function removes the entire skimming code from memory to avoid detection.
Mitigation Measures
- Institute recurring checks in eCommerce environments for communications with the C2s.
- Ensure familiarity and vigilance with code integrated into eCommerce environments via service providers.
- Closely vet utilized Content Delivery Networks (CDN) and other third-party resources.
- Regularly scan and test eCommerce sites for vulnerabilities or malware.
- Regularly ensure shopping cart, other services, and all software are upgraded or patched to the latest versions to keep attackers out. Set up a Web Application Firewall to block suspicious and malicious requests from reaching the website.
- Limit access to the administrative portal and accounts to those who need them
- Require strong administrative passwords (use a password manager for best results) and enable two-factor authentication.
- Consider using a fully hosted checkout solution where customers enter their payment details on another webpage hosted by that checkout solution, separate from the merchant’s site. This is the most secure way to protect the merchant and their customers from eCommerce skimming malware.