What sets Pipka apart from other skimmers is the fact that it has the ability to remove itself from the compromised HTML code after execution, in an effort to avoid detection, Visa notes in a security alert (PDF).
The skimmer allows operators to configure the form fields to be parsed and extracted from the targeted checkout pages, including payment account number, expiration date, CVV, and cardholder name and address. Before execution, the code checks for these configured fields.
Directly injected at different locations on the compromised websites, the skimmer harvests data from the targeted fields, then encodes it in base64, encrypts it and exfiltrates it, but not before checking if the data string was previously sent to the command and control (C&C) server.
One of the analyzed samples was designed to target two-step checkout pages, where billing data and payment account data is collected on different pages.
The skimmer shows a focus on anti-forensics, by calling a function that clears the skimmer’s script tag from the page immediately after the script loads, thus making it difficult for analysts or website administrators to notice the code.
The end result of Pipka, however, is the same as with any other skimmer, albeit some methods are different: exfiltrating payment card data from ecommerce websites. The new threat, Visa notes, is expected to continue to be used in live attacks.