JavaScript nasty removes itself from memory once it has siphoned off payment card data

Visa has issued a warning over a new online credit card skimmer dubbed ‘Baka’.

The malicious JavaScript code bundles features designed to allow it to avoid detection on compromised systems.

For example, the skimmer loads dynamically to avoid static malware scanners and uses unique encryption parameters for each victim in order to avoid offering a tell-tale signature that malware hunters might target.

According to an alert from Visa’s Payment Fraud Disruption (PFD) division, the skimmer also attempts to avoid detection and analysis by “removing itself from memory when it detects the possibility of dynamic analysis with Developer Tools or when data has been successfully exfiltrated”.

Skimming the surface

Baka uses an XOR cipher to encrypt hardcoded values and obfuscate the skimming code from a command server.

Abuse of the XOR cipher to obfuscate malicious code is a known trick among malware slingers, but not one previously seen among JavaScript skimming malware strains.


RECOMMENDED Quantum leap forward in cryptography could make niche technology mainstream


Although it bundles anti-detection methods, the skimmer itself is run of the mill, accord to Visa.

“While the skimmer itself is basic and contains the expected features offered by many e-commerce skimming kits (e.g. data exfiltration using image requests and configurable target form fields), the Baka skimming kit’s advanced design indicates it was created by a skilled developer,” the alert concludes.

The banking industry organization – which put out an alert about the malware in late August – said it had detected Baka on “several merchant websites across multiple global regions” since first detecting to malware back in February.


READ MORE DDoS extortionists posing as cyberspies to run blackmail scam