Meet Pipka: A New and Threatening Website Skimmer

Credit card skimmers are a fairly major threat at gas stations and other places where payment card machines are left unattended. It’s a device that fits into the card reader slot of a point of sale system and reads off a card’s data as its owner performs a transaction. This data is then packaged up for the skimmer’s owner to download later.

Payment card skimmers are a good money-making opportunity for criminals since this payment card data can be used to make fraudulent purchases or resold on the black market. However, the threat of stolen payment card data isn’t limited to the physical world. Payment card skimmers also have their digital versions. Instead of a physical appliance, they are malicious code that sits on a payment page of an organization’s website and harvests payment card information as users enter it to make online purchases.

While this hurts the user, it also hurts the website owner. Since the theft of payment card information is considered a data breach, organizations that fail to implement strong website security and allow skimmers to be added to their web pages can fall afoul of new data protection regulations, like the EU’s General Data Protection Regulation (GDPR). Since the GDPR can levy fines of up to 20 million euros or 4% of an organization’s global revenue, the ability to identify and protect against web skimmers is vital to an organization’s bottom line.

A prime example of the potential impacts of having a skimmer on an organization’s website is the GDPR fine against British Airways levied in July 2019. The $230 million fine is the largest that GDPR regulators have assessed to date, and the cause of the fine was a Magecart skimmer on the British Airways payment page that scooped up passengers’ payment data.

A Brief Introduction to Website Skimmers

Before diving into the details of the Pipka skimmer, it’s helpful to understand how skimmers work in general. For this, it’s important to have a fundamental understanding of how a webpage is put together.

A webpage is made up of three main types of content. The hypertext markup language (HTML) instructions are the skeleton of the page, describing the main sections and the content that they contain. Cascading style sheets (CSS) act as the skin, allowing a web developer to customize the page and enforce consistent styling across an organization’s web presence. Scripts are executable code that enable animations and interactivity on the page but can also be used for malicious purposes.

Skimmers are malicious scripts that a cybercriminal has managed to include in a webpage. The structure of HTML allows CSS and script content to be embedded within a webpage or to be imported from a separate file. If an attacker can embed their malicious script within a payment page or have it called from this page, then they can implement a skimmer. This can be accomplished in a variety of different ways, from performing a cross-site scripting (XSS) attack to hacking an organization’s network and adding the malicious code to the page manually. As a result, several cybercrime groups are using skimmers, including a more recent one called Pipka.

Introducing Pipka

The Pipka skimmer came to light in November 2019 in a report by Visa. The organization had detected the new skimmer in September of that year on an ecommerce website, and, through further investigation, identified it on sixteen additional websites.

The Pipka skimmer is well-designed, including the ability to configure the form fields that it collects, support for multi-page checkout processes (where card information and customer details are on different pages), and the ability to check if it had already collected a certain set of payment card details before sending it to its command and control (C2) server. This last feature helps the malware to be stealthier since there are fewer suspicious transmissions to be detected. Another stealth feature is the fact that the skimmer uses an image GET request for data exfiltration rather than trying to POST the data to the C2 server.

However, the feature that really sets Pipka apart from other skimmers is its anti-forensics functionality. Once the skimmer has been called and starts running, it has code built in to remove its script tag from the HTML document that called it. Since this tag is what ties it to the main HTML page, removing it makes it much more difficult to identify the presence of the skimmer after the attack is complete.

Protecting Against Website Skimmers

While Pipka has some new anti-forensics features, it is one of a wide array of skimmers currently operating in the wild. The very visible successes of the Magecart group, including the British Airways breach, has inspired many other cybercriminals to start their own skimming campaigns. As a result, skimmers have become a significant threat to organizations’ website security and ability to maintain regulatory compliance.

In order for a skimmer to be effective, it needs to be able to embed itself within an organization’s website. The most common method for accomplishing this is to exploit a web application vulnerability like XSS. By deploying a web application firewall (WAF) capable of identifying and blocking XSS and similar attacks, an organization can dramatically decrease its exposure to the threat of skimmers on their web pages and better protect their customers’ payment card data.

About the author

Ben is an accomplished and experienced freelance writer who has featured in a number of high profile publications and websites. If he’s not reading the financial times you’ll find him listening to live music or at the coast surfing."

Image courtesy of PYMNTS