Visa: Keeping Online Merchants Safe From The Pipka Skimmer

javascript targets online merchants

A new version of the card skimmer resides on eCommerce checkout pages, where fraudsters steal consumers’ data as it is entered. The newest sinister iteration of JavaScript skimming, Pipka, disappears from the merchant site after the data is stolen — meaning that it’s tough to follow a fraudster’s trail. David Capezza, senior director of payments systems intelligence at Visa, tells PYMNTS what is next in skimming  — and how merchants can gird against the bad guys.

Online sales during the season are expected to soar, with recent estimates projecting gains of 14 percent over last year to $143 billion. It’s no surprise, then, that fraudsters go where the valuable data goes, focusing their attacks on eCommerce sites. Where brick-and-mortar had once been their hunting ground, card-not-present transactions are increasingly in the crosshairs.

In a 21st century bits-and-bytes version of the card skimmer (a device that marks many ATMs or POS devices, designed to steal card information), now comes Pipka — a new threat to consumers and merchants, nestled at the point of checkout … and a bit sinister. That is because, once the card data is stolen, the traces of the crime are erased.

Payments network Visa said, via its Visa Payment Fraud Disruption’s eCommerce Threat Disruption (eTD) program, that it has detected a new JavaScript skimmer that targets consumer data as it is entered into payment pages on merchant sites. The malicious script was found at 17 merchants.

In an interview with PYMNTS, David Capezza, senior director of payment systems intelligence at Visa, said that JavaScript skimming exists as a variant of online skimming — which, of course, has grabbed headlines, such as through Magecart attacks (done through a consortium of hackers).

One wrinkle with Pipka: As Visa noted in its report, “The most interesting and unique aspect of Pipka is its ability to remove itself from the HTML code after it is successfully executed. This enables Pipka to avoid detection, as it is not present within the HTML code after initial execution. This is a feature that has not been previously seen in the wild, and marks a significant development in JavaScript skimming.”

The emergence of Pipka reflects, as Capezza said, a “more developed normalcy from the criminal perspective,” where bad actors are finding new ways to target the eCommerce space.

The Top-Down Approach

Against the backdrop of this new development, Capezza said a comprehensive approach is warranted in combatting eCommerce fraud.

He told PYMNTS that Visa’s eTD program has been able to identify self-cleaning malware because, rather than identify such skimmers on a case-by-case basis and isolate where JavaScript is deployed on a merchant site, Visa seeks to identify “the command and control” domains and servers favored by fraudsters, and see which merchants are connected to them. Capezza called this the “top-down approach” — one that renders the self-cleaning mechanism (the Pipka hallmark) irrelevant.

What The Merchants Must Do

Merchants (and, specifically, their site administrators) must be proactive in their attempts to keep their online shopping carts and payment pages safe from skimming attempts. He cautioned that Pipka is simply one of multiple variants of JavaScript skimming malware.

Web application firewalls and patches need to be updated with speed, and firms should monitor whether their sites are in communication with command and control systems linked to fraudsters. It’s important, too, Capezza added, to implement best practices, as outlined by the PCI Security Standards Council. Through such efforts, patching and monitoring might be thought of as low-hanging fruit.

“I would not underestimate the importance of low-hanging fruit. The reason why they are so vital is that we see criminals going after these key core security issues,” Capezza said.

Beyond the external threats, he noted that best practices include limiting access to the administrative portal, putting multi-factor authentication processes in place and consistently reviewing logs to see who has accessed the site and when. These practices may give insight into whether external or anomalous IP addresses are accessing the sites.

“All of these things come into play in a ‘holistic defense,’” said Capezza, “and it applies not [only] to a major enterprise, but … to maintaining a secure payment page as well. It’s just a different scale, but all the same processes.”

Where We’re Headed

Though there has been no disclosure yet as to whether Pipka has been successful or not, there may be a progression. Capezza told PYMNTS that the first logical extension one would expect to see with such malware is a “broader victimology.” As he noted, the only Pipka identifications, thus far, have been in North America, but the reach could broaden — don’t expect the recent news surrounding Pipka to be a one-off.

“What we’re seeing now in the JavaScript skimming code demonstrates the fact that criminals are going to continue targeting this space in the near future,” said Capezza.


New PYMNTS Report: Preventing Financial Crimes Playbook – July 2020 

Call it the great tug-of-war. Fraudsters are teaming up to form elaborate rings that work in sync to launch account takeovers. Chris Tremont, EVP at Radius Bank, tells PYMNTS that financial institutions (FIs) can beat such highly organized fraudsters at their own game. In the July 2020 Preventing Financial Crimes Playbook, Tremont lays out how.