Credit card skimmers are a fairly major threat at gas stations and other places where payment card machines are left unattended. It’s a device that fits into the card reader slot of a point of sale system and reads off a card’s data as its owner performs a transaction. This data is then packaged up for the skimmer’s owner to download later.
Payment card skimmers are a good money-making opportunity for criminals since this payment card data can be used to make fraudulent purchases or resold on the black market. However, the threat of stolen payment card data isn’t limited to the physical world. Payment card skimmers also have their digital versions. Instead of a physical appliance, they are malicious code that sits on a payment page of an organization’s website and harvests payment card information as users enter it to make online purchases.
A prime example of the potential impacts of having a skimmer on an organization’s website is the GDPR fine against British Airways levied in July 2019. The $230 million fine is the largest that GDPR regulators have assessed to date, and the cause of the fine was a Magecart skimmer on the British Airways payment page that scooped up passengers’ payment data.
Before diving into the details of the Pipka skimmer, it’s helpful to understand how skimmers work in general. For this, it’s important to have a fundamental understanding of how a webpage is put together.
Skimmers are malicious scripts that a cybercriminal has managed to include in a webpage. The structure of HTML allows CSS and script content to be embedded within a webpage or to be imported from a separate file. If an attacker can embed their malicious script within a payment page or have it called from this page, then they can implement a skimmer. This can be accomplished in a variety of different ways, from performing a cross-site scripting (XSS) attack to hacking an organization’s network and adding the malicious code to the page manually. As a result, several cybercrime groups are using skimmers, including a more recent one called Pipka.
The Pipka skimmer came to light in November 2019 in a report by Visa. The organization had detected the new skimmer in September of that year on an ecommerce website, and, through further investigation, identified it on sixteen additional websites.
The Pipka skimmer is well-designed, including the ability to configure the form fields that it collects, support for multi-page checkout processes (where card information and customer details are on different pages), and the ability to check if it had already collected a certain set of payment card details before sending it to its command and control (C2) server. This last feature helps the malware to be stealthier since there are fewer suspicious transmissions to be detected. Another stealth feature is the fact that the skimmer uses an image GET request for data exfiltration rather than trying to POST the data to the C2 server.
While Pipka has some new anti-forensics features, it is one of a wide array of skimmers currently operating in the wild. The very visible successes of the Magecart group, including the British Airways breach, has inspired many other cybercriminals to start their own skimming campaigns. As a result, skimmers have become a significant threat to organizations’ website security and ability to maintain regulatory compliance.
In order for a skimmer to be effective, it needs to be able to embed itself within an organization’s website. The most common method for accomplishing this is to exploit a web application vulnerability like XSS. By deploying a web application firewall (WAF) capable of identifying and blocking XSS and similar attacks, an organization can dramatically decrease its exposure to the threat of skimmers on their web pages and better protect their customers’ payment card data.
About the author
Ben is an accomplished and experienced freelance writer who has featured in a number of high profile publications and websites. If he’s not reading the financial times you’ll find him listening to live music or at the coast surfing."
Image courtesy of PYMNTS