Visa has issued a warning over a new online credit card skimmer dubbed ‘Baka’.
For example, the skimmer loads dynamically to avoid static malware scanners and uses unique encryption parameters for each victim in order to avoid offering a tell-tale signature that malware hunters might target.
According to an alert from Visa’s Payment Fraud Disruption (PFD) division, the skimmer also attempts to avoid detection and analysis by “removing itself from memory when it detects the possibility of dynamic analysis with Developer Tools or when data has been successfully exfiltrated”.
Skimming the surface
Baka uses an XOR cipher to encrypt hardcoded values and obfuscate the skimming code from a command server.
Although it bundles anti-detection methods, the skimmer itself is run of the mill, accord to Visa.
“While the skimmer itself is basic and contains the expected features offered by many e-commerce skimming kits (e.g. data exfiltration using image requests and configurable target form fields), the Baka skimming kit’s advanced design indicates it was created by a skilled developer,” the alert concludes.
The banking industry organization – which put out an alert about the malware in late August – said it had detected Baka on “several merchant websites across multiple global regions” since first detecting to malware back in February.