Payment cards provider Visa has warned its users about a new credit card skimming malware dubbed “Baka” that can evade traditional detection methods. The skimmer was discovered by Visa’s Payment Fraud Disruption (PFD) division while analyzing a command and control (C2) server, which also found seven C2 servers hosting the Baka skimming kit.
Baka: The Unique Skimmer
Along with the basic features offered by various skimming kits, the Baka skimmer has certain advanced capabilities that helps it bypass security scanners. In addition, the skimmer can erase itself from the victim’s device’s memory after exfiltrating data.
According to Visa’s PFD division, the skimmer performs five operations after it is injected.
- Generate a decryption function to decrypt the list of fields from which the skimmer will steal data.
- Skim the targeted fields every 100 milliseconds. When the attacker generates the skimming script for a victim, they specify which fields are targeted.
- Check if the skimmer found data every 100 milliseconds. This function then calls for data exfiltration and sets a flag called “this.load” indicating the skimmer successfully exfiltrated data.
- Check if the script should send data to the exfiltration gateway every 3 seconds. If the captured data flag is set, the exfiltration gateway URL is decrypted using the current victim merchant’s domain name as the key. The script then encodes the skimmed data into the GET parameters of the exfiltration URL.
- The last operation that is scheduled is a clean-up function. If data is exfiltrated, the clean-up function removes the entire skimming code from memory to avoid detection.
Read the full article from CISO Mag here.