Visa has issued a warning about new digital skimming malware with a sophisticated design intended to circumvent detection by security tools.
The card giant said its Payment Fraud Disruption (PFD) group first discovered the “Baka” skimmer in February whilst analyzing a command and control (C2) server associated with the ImageID variant. PFD subsequently founded seven servers hosting the Baka skimming kit.
“While the skimmer itself is basic and contains the expected features offered by many e-commerce skimming kits (e.g. data exfiltration using image requests and configurable target form fields), the Baka skimming kit’s advanced design indicates it was created by a skilled developer,” it said.
“The skimmer loads dynamically to avoid static malware scanners and uses unique encryption parameters for each victim to obfuscate the malicious code. PFD assesses that this skimmer variant avoids detection and analysis by removing itself from memory when it detects the possibility of dynamic analysis with developer tools or when data has been successfully exfiltrated.”
It’s currently unclear just how widespread the threat is. Visa said that it has identified the malware on “several” merchant websites around the world using its eCommerce Threat Disruption (eTD) capabilities.
However, the firm issued several recommendations for e-commerce providers including: regular scans for C2 communications, close vetting of third-party code and Content Delivery Networks (CDNs), regular website scanning and testing for malware an vulnerabilities, regular patching of shopping cart and other software and web application firewalls (WAFs) to block malicious traffic.
Visa also recommended merchants to restrict access to administrative portals, deploy two-factor authentication and to consider using a fully hosted checkout solution separate from the main e-commerce site.
The news comes just days after RiskIQ identified 1500 sites that had been infected with the prolific Inter digital skimmer.
At the end of August, Group-IB uncovered a new group, dubbed “UltraRank,” which it said was responsible for compromising hundreds of sites and multiple supply chain providers over the past five years.