PFD-20-027-Visa Security Alert-Baka JavaScript Skimmer Visa Public Visa Payment Fraud Disruption PFD-20-027 Visa Public 1 Visa Security Alert AUGUST 2020 ‘Baka’ JavaScript Skimmer Identified Distribution: Public Summary In February 2020, Visa Payment Fraud Disruption (PFD), using the eCommerce Threat Disruption (eTD) capability, identified a previously unknown ecommerce skimmer, and named the skimmer ‘Baka’. PFD made the discovery while analyzing a command and control (C2) server that was previously observed hosting the ImageID skimmer variant. PFD’s investigation revealed seven C2 servers hosting the Baka skimming kit. While the skimmer itself is basic and contains the expected features offered by many ecommerce skimming kits (e.g. data exfiltration using image requests and configurable target form fields), the Baka skimming kit’s advanced design indicates it was created by a skilled developer. The most compelling components of this kit are the unique loader and obfuscation method. The skimmer loads dynamically to avoid static malware scanners and uses unique encryption parameters for each victim to obfuscate the malicious code. PFD assesses that this skimmer variant avoids detection and analysis by removing itself from memory when it detects the possibility of dynamic analysis with Developer Tools or when data has been successfully exfiltrated. PFD identified this unique skimmer on several merchant websites across multiple global regions using Visa’s eTD capability, which analyzes and detects threats targeting eCommerce merchants. A skimming kit consists of an administration panel, exfiltration gateway, skimming script generator. https://usa.visa.com/dam/VCOM/regional/na/us/run-your-business/documents/ecommerce-threat-disruption-case-study-final.pdf Visa Public Visa Payment Fraud Disruption PFD-20-027 Visa Public 2 Malware Loader The Baka loader works by dynamically adding a script tag to the current page (Figure 1). The new script tag loads a remote JavaScript file, the URL of which is stored encrypted in the loader script (Figure 2). The attacker can change the URL for each victim. Figure 1 - Malicious loader decrypts and executes the JavaScript loaded from the attacker’s server Figure 2 - Function to load JavaScript on a page Visa Public Visa Payment Fraud Disruption PFD-20-027 Visa Public 3 When a customer visits the merchant’s checkout page, the loader executes the following steps to retrieve and execute the malicious skimming code: 1. Decrypt the hardcoded C2 URL (Figure 3) using a hardcoded key (Figure 4). Figure 3 - Encrypted C2 URL Figure 4 - C2 URL Decryption Key 2. Generate a random number to send to the C2 URL for skimming code (e.g. https://example[.]com/skimmer.js?q=0.123456890 where https://example[.]com/skimmer.js is the C2 URL and “123456890” is the random number. The string “?q=0.” is hardcoded in the loader). 3. The skimmer C2 returns a small piece of JavaScript that sets a variable named _scriptCallback to the encrypted C2 URL that receives the request (i.e. https://example[.]com/skimmer.js?q=0.123456890). This return value is decrypted and loads a second time. The C2 server responds to the second request with the encrypted skimming code (Figure 5). Figure 5 - Encrypted Skimming Code 4. The loader then decrypts the skimming code and executes it in memory. The skimming code is never present on the merchant’s server or saved to the customer’s computer. https://example%5B.%5Dcom/skimmer.js?q=0.123456890 Visa Public Visa Payment Fraud Disruption PFD-20-027 Visa Public 4 Skimming Malware The skimming payload decrypts to JavaScript written to resemble code that would be used to render pages dynamically. The same encryption method as seen with the loader is used for the payload. Once executed, the skimmer captures the payment data from the checkout form. When the skimmer is first loaded, it runs an initialization function that schedules five operations to run: 1. Generate a decryption function to decrypt the list of fields from which the skimmer will steal data (Figure 6). Figure 6 - Skimmer Initialization 2. Skim the targeted fields every 100 milliseconds. When the attacker generates the skimming script for a victim, they specify which fields are targeted (Figure 7). This list of field names decrypts on-demand every 100ms when the skimmer runs. This function sets a flag called ‘this.rendered’ to indicate that data has been captured and stored in memory for exfiltration. 3. Check if the skimmer found data (e.g. ‘this.rendered’ is True) every 100 milliseconds. This function then calls for data exfiltration and sets a flag called ‘this.load’ indicating the skimmer successfully exfiltrated data. Figure 7 - Encrypted list of field names for the skimmer to target 4. Check if the script should send data to the exfiltration gateway every 3 seconds. If the captured data flag is set, the exfiltration gateway URL is decrypted using the current victim merchant’s domain name as the key. The script then encodes the skimmed data into the GET parameters of the exfiltration URL. This URL resembles a link to an image, but no image exists at the location. The malware then adds an image tag that links the exfiltration URL to the merchant’s webpage resulting in a request being sent to the malicious URL with the stolen data attached and removes it after 3 seconds to avoid detection (Figure 8). Visa Public Visa Payment Fraud Disruption PFD-20-027 Visa Public 5 Figure 7 - Exfiltration code 5. The last operation that is scheduled is a clean-up function. If data is exfiltrated, the clean-up function removes the entire skimming code from memory to avoid detection (Figure 9). Figure 8 - Clean-up Function Visa Public Visa Payment Fraud Disruption PFD-20-027 Visa Public 6 Unique Obfuscation To further prevent detection, Baka uses an XOR cipher to encrypt hard-coded values and obfuscate the skimming code delivered by the C2. While the use of an XOR cipher is not new, this is the first time Visa has observed its use in JavaScript skimming malware. The developer of this malware kit uses the same cipher function in the loader and the skimmer. Figure 10 shows the decryption function from one of the skimmer payloads. The displayed code creates a decryption function primed with a supplied key. The malware uses various values throughout, including the current domain the malware is running on, the random number generated in the loader, and the hardcoded value, “preProcessingPage”. The returned decryption function expects a hexadecimal string as input and works as follows: 1. The decryption function splits the string into a list of two character strings 2. The function then parses each two character string as a hexadecimal number and converts it into an integer 3. The resulting integers are decrypted using the key supplied when creating the decryption function 4. Finally, the function converts the integers to characters, resulting in the original plaintext Figure 9 – XOR Cipher Indicators of Compromise Visa observed the following domain names hosting the Baka skimmer. Domain Names jquery-cycle[.]com b-metric[.]com apienclave[.]com quicdn[.]com apisquere[.]com ordercheck[.]online pridecdn[.]com Visa Public Visa Payment Fraud Disruption PFD-20-027 Visa Public 7 Best practices and mitigation measures • Institute recurring checks in eCommerce environments for communications with the C2s. • Ensure familiarity and vigilance with code integrated into eCommerce environments via service providers. • Closely vet utilized Content Delivery Networks (CDN) and other third-party resources. • Regularly scan and test eCommerce sites for vulnerabilities or malware. Hire a trusted professional or service provider with a reputation of security to secure the eCommerce environment. Ask questions and require a thorough report. Trust, but verify the steps taken by the company you hire. • Regularly ensure shopping cart, other services, and all software are upgraded or patched to the latest versions to keep attackers out. Set up a Web Application Firewall to block suspicious and malicious requests from reaching the website. There are options that are free, simple to use, and practical for small merchants. • Limit access to the administrative portal and accounts to those who need them. • Require strong administrative passwords (use a password manager for best results) and enable two-factor authentication. • Consider using a fully hosted checkout solution where customers enter their payment details on another webpage hosted by that checkout solution, separate from the merchant’s site. This is the most secure way to protect the merchant and their customers from eCommerce skimming malware. • Implement Best Practices for Securing eCommerce as outlined by the PCI Security Standards Council. • Refer to Visa’s What to do if Compromised (WTDIC) document, published October 2019. Disclaimer: This report is intended for informational purposes only and should not be relied upon for operational, marketing, legal, technical, tax, financial or other advice. Visa is not responsible for your use of the information contained in this report (including errors, omissions, or non-timeliness of any kind) or any assumptions or conclusions you may draw from it. All Visa Payment Fraud Disruption Situational Intelligence Assessment content is provided for the intended recipient only, and on a need-to-know basis. PFD reporting and intelligence are intended solely for the internal use of the individual and organization to which they are addressed. Dissemination or redistribution of PFD products without express permission is strictly prohibited. https://www.pcisecuritystandards.org/pdfs/best_practices_securing_ecommerce.pdf https://www.pcisecuritystandards.org/pdfs/best_practices_securing_ecommerce.pdf https://usa.visa.com/dam/VCOM/download/merchants/cisp-what-to-do-if-compromised.pdf Summary Malware Loader Skimming Malware Unique Obfuscation Indicators of Compromise Accessibility Report Filename: PFD-20-027_Visa Security Alert_ Baka JavaScript Skimmer v2.pdf Report created by: Organization: [Enter personal and organization information through the Preferences > Identity dialog.] Summary The checker found problems which may prevent the document from being fully accessible. Needs manual check: 2 Passed manually: 0 Failed manually: 0 Skipped: 1 Passed: 27 Failed: 2 Detailed Report Document Rule Name Status Description Accessibility permission flag Passed Accessibility permission flag must be set Image-only PDF Passed Document is not image-only PDF Tagged PDF Passed Document is tagged PDF Logical Reading Order Needs manual check Document structure provides a logical reading order Primary language Passed Text language is specified Title Passed Document title is showing in title bar Bookmarks Passed Bookmarks are present in large documents Color contrast Needs manual check Document has appropriate color contrast Page Content Rule Name Status Description Tagged content Passed All page content is tagged Tagged annotations Passed All annotations are tagged Tab order Passed Tab order is consistent with structure order Character encoding Passed Reliable character encoding is provided Tagged multimedia Passed All multimedia objects are tagged Screen flicker Passed Page will not cause screen flicker Scripts Passed No inaccessible scripts Timed responses Passed Page does not require timed responses Navigation links Passed Navigation links are not repetitive Forms Rule Name Status Description Tagged form fields Passed All form fields are tagged Field descriptions Passed All form fields have description Alternate Text Rule Name Status Description Figures alternate text Passed Figures require alternate text Nested alternate text Passed Alternate text that will never be read Associated with content Passed Alternate text must be associated with some content Hides annotation Passed Alternate text should not hide annotation Other elements alternate text Skipped Other elements that require alternate text Tables Rule Name Status Description Rows Passed TR must be a child of Table, THead, TBody, or TFoot TH and TD Passed TH and TD must be children of TR Headers Passed Tables should have headers Regularity Passed Tables must contain the same number of columns in each row and rows in each column Summary Passed Tables must have a summary Lists Rule Name Status Description List items Failed LI must be a child of L Lbl and LBody Failed Lbl and LBody must be children of LI Headings Rule Name Status Description Appropriate nesting Passed Appropriate nesting Back to Top