- Joined
- Jun 13, 2020
- Messages
- 7,903
- Reaction score
- 942
- Points
- 212
- Awards
- 2
Baka has an extended design, indicating the work of an experienced malware developer.
Visa has issued a warning about a new electronic skimmer known as Baka, which deletes itself from memory after retrieving stolen data.
A new scenario of theft of credit card data was discovered by specialists as part of the Visa Payment Fraud Disruption (PFD) initiative in February 2020 while researching a C&C server that previously hosted the ImageID web skimmer kit.
In addition to the usual basic skimming features such as custom target form fields and data theft using image requests, Baka has an advanced design indicating the work of an experienced malware developer, as well as a unique cloaking method and loader.
"The skimmer is loaded dynamically to avoid the use of static malware scanners, and uses unique encryption settings for each victim to hide malicious code," Visa said in a warning.
This skimmer option avoids detection and analysis by removing itself from memory when it detects dynamic analysis capability using developer tools or when data has been successfully deleted.
Visa specialists found Baka in several online stores from different countries. The skimmer is added to the merchant's checkout pages using a script tag, and its loader downloads the skimming code from the C&C server and executes it in memory.
This allows cybercriminals to be sure that the skimming code used to collect customer data will not be found when analyzing files located on the seller's server or the buyer's computer.
Baka is also the first JavaScript skimming malware detected by Visa that uses the XOR cipher to obfuscate the scan code downloaded from the C&C server and any encrypted values.
Visa has issued a warning about a new electronic skimmer known as Baka, which deletes itself from memory after retrieving stolen data.
A new scenario of theft of credit card data was discovered by specialists as part of the Visa Payment Fraud Disruption (PFD) initiative in February 2020 while researching a C&C server that previously hosted the ImageID web skimmer kit.
In addition to the usual basic skimming features such as custom target form fields and data theft using image requests, Baka has an advanced design indicating the work of an experienced malware developer, as well as a unique cloaking method and loader.
"The skimmer is loaded dynamically to avoid the use of static malware scanners, and uses unique encryption settings for each victim to hide malicious code," Visa said in a warning.
This skimmer option avoids detection and analysis by removing itself from memory when it detects dynamic analysis capability using developer tools or when data has been successfully deleted.
Visa specialists found Baka in several online stores from different countries. The skimmer is added to the merchant's checkout pages using a script tag, and its loader downloads the skimming code from the C&C server and executes it in memory.
This allows cybercriminals to be sure that the skimming code used to collect customer data will not be found when analyzing files located on the seller's server or the buyer's computer.
Baka is also the first JavaScript skimming malware detected by Visa that uses the XOR cipher to obfuscate the scan code downloaded from the C&C server and any encrypted values.