‘Baka’ Avoids Detection While Stealing Customers’ Payment Card Data
Visa’s payment fraud disruption team is warning of a recently uncovered skimmer called “Baka” that is stealing payment card data from e-commerce sites while hiding from security tools.
Researchers discovered the malicious code while examining a command-and-control infrastructure that previously hosted the ImageID skimmer.
The Baka skimmer has been found in “several merchant websites across multiple global regions,” the alert notes, but it does not provide further details.
“The most compelling components of this kit are the unique loader and obfuscation method,” the Visa alert notes. “The skimmer loads dynamically to avoid static malware scanners and uses unique encryption parameters for each victim to obfuscate the malicious code. … This skimmer variant avoids detection and analysis by removing itself from memory when it detects the possibility of dynamic analysis with developer tools or when data has been successfully exfiltrated.”
How Baka Works
The Visa alert does not indicate how Baka is initially delivered to a network. But the report notes that the malicious code is hosted on several suspicious domains, including: jquery-cycle[.]com, b-metric[.]com, apienclave[.]com, quicdn[.]com, apisquere[.]com, ordercheck[.]online and pridecdn[.]com.
Once the initial infection takes hold, the skimmer is uploaded through the command-and-control server, but the code loads in memory. This means the malware is never present on the targeted e-commerce firm’s server or saved to another device, helping it to avoid detection, according to the alert.
Once embedded in an e-commerce site’s checkout page, the skimmer begins to collect payment and other customer data from various fields and sends the information to the fraudsters’ command-and-control server, Visa notes.
Visa’s analysts found that the operators behind Baka use an XOR cipher as a way to obscure the malicious code and further hide it from detection, according to the alert.
The Visa alert advises e-commerce merchants to take several steps to mitigate skimming risks, including:
- Run regular checks to determine if any code is attempting to communicate with a known command-and-control server;
- Check code added through a service provider;
- Vet content delivery networks and other third parties that have access to the checkout function;
- Update and patch any software or services used on checkout sites and consider adding a firewall;
- Limit access to online administrative portals and ensure that those with access use strong passwords.
Other Skimming Attacks
For example, in August, security firm Group-IB warned of a cybercriminal gang called “UltraRank” that is using malicious code to skim payment card data and then selling that information to others on its own underground site (see: ‘UltraRank’ Gang Sells Card Data It Steals).
Earlier this month, security firm Malwarebytes warned that some fraudsters have started using encrypted messages on Telegram to steal data faster (see: Fraudsters Use Telegram App to Steal Payment Card Data).