Security researchers at Visa’s Payment Fraud Disruption Group first identified the malware on a North American merchant website in September 2019. Upon further investigation, it was found that the malware was responsible for compromising at least sixteen more e-commerce sites.
In a security alert, researchers described the self-cleaning mechanism as something unique to Pipka. The malware tries to evade detection by removing itself from the HTML code of a compromised website after it successfully executes.
What can it steal?
The harvested data is base64 encoded and encrypted using a cipher ROT13. This encrypted data is then stored in a cookie for later exfiltration to a remote command and control server.
Researchers claim that Pipka will continue to be used by threat actors to compromise e-commerce merchant websites and harvest payment account data. Thus online retailers should regularly scam and test their websites for vulnerabilities or malware. They should also limit access to the administrative portal as well as implement best security practices on the website.
Users, on the other hand, should regularly ensure that shopping cart, other services, and all software are upgraded or patched. They should also enable two-factor authentication as an added protection layer.