The Pipka skimmer was discovered by Visa Payment Fraud Disruption (PFD).
Pipka Skimmer Detected in the Wild
According to Visa’s report, the skimmer was first discovered in September this year. The skimmer has been named Pipka “due to the skimmer’s configured exfiltration point at the time of analysis.”
It is noteworthy that Pipka is capable of removing itself from the HTML of the compromised websites after execution, which makes it harder to detect. This behavior is not seen in most known skimmers.
The Pipka skimmer is configured to check for the payment account number field. All data harvested by the skimming malware is encoded with the help of base64 algorithm using ROT13 cipher. Before exfiltration, the malware performs a check to make sure that the data string hasn’t been previously sent to avoid sending duplicate data. If the string is unique, the data is exfiltrated to a command and control server, the PFD report said.
PFD researchers believe that the Pipka skimmer will continue to be used in future attacks against e-commerce websites to harvest payment account data.
In November 2018, security researchers discovered that the Magecart malware was able to re-infect infected websites, after the skimmer was removed.