Visa Payment Fraud Disruption # Visa Security Alert AUGUST 2020 ‘Baka’ JavaScript Skimmer Identified **Distribution: Public** # Summary In February 2020, Visa Payment Fraud Disruption (PFD), using the [eCommerce Threat Disruption](https://usa.visa.com/dam/VCOM/regional/na/us/run-your-business/documents/ecommerce-threat-disruption-case-study-final.pdf) (eTD) capability, identified a previously unknown ecommerce skimmer, and named the skimmer ‘Baka’. PFD made the discovery while analyzing a command and control (C2) server that was previously observed hosting the ImageID skimmer variant. PFD’s investigation revealed seven C2 servers hosting the Baka skimming kit. While the skimmer itself is basic and contains the expected features offered by many ecommerce skimming kits (e.g. data _A skimming kit consists of an_ exfiltration using image requests and _administration panel, exfiltration gateway,_ configurable target form fields), the Baka _skimming script generator._ skimming kit’s advanced design indicates it was created by a skilled developer. The most compelling components of this kit are the unique loader and obfuscation method. The skimmer loads dynamically to avoid static malware scanners and uses unique encryption parameters for each victim to obfuscate the malicious code. PFD assesses that this skimmer variant avoids detection and analysis by removing itself from memory when it detects the possibility of dynamic analysis with Developer Tools or when data has been successfully exfiltrated. PFD identified this unique skimmer on several merchant websites across multiple global regions using Visa’s eTD capability, which analyzes and detects threats targeting eCommerce merchants. PFD-20-027 Visa Public 1 ## A skimming kit consists of an administration panel, exfiltration gateway, skimming script generator. ----- Visa Payment Fraud Disruption # Malware Loader The Baka loader works by dynamically adding a script tag to the current page (Figure 1). The new script tag loads a remote JavaScript file, the URL of which is stored encrypted in the loader script (Figure 2). The attacker can change the URL for each victim. _Figure 1 - Malicious loader decrypts and executes the JavaScript loaded from the attacker’s server_ _Figure 2 - Function to load JavaScript on a page_ PFD-20-027 Visa Public 2 _Figure 2 - Function to load JavaScript on a page_ ----- Visa Payment Fraud Disruption When a customer visits the merchant’s checkout page, the loader executes the following steps to retrieve and execute the malicious skimming code: 1. Decrypt the hardcoded C2 URL (Figure 3) using a hardcoded key (Figure 4). _Figure 3 - Encrypted C2 URL_ _Figure 4 - C2 URL Decryption Key_ 2. Generate a random number to send to the C2 URL for skimming code (e.g. https://example[.]com/skimmer.js?q=0.123456890 where https://example[.]com/skimmer.js is the C2 URL and “123456890” is the random number. The string “?q=0.” is hardcoded in the loader). 3. The skimmer C2 returns a small piece of JavaScript that sets a variable named _scriptCallback to the encrypted C2 URL that receives the request (i.e. [https://example[.]com/skimmer.js?q=0.123456890).](https://example%5B.%5Dcom/skimmer.js?q=0.123456890) This return value is decrypted and loads a second time. The C2 server responds to the second request with the encrypted skimming code (Figure 5). _Figure 5 - Encrypted Skimming Code_ 4. The loader then decrypts the skimming code and executes it in memory. The skimming code is never present on the merchant’s server or saved to the customer’s computer. PFD-20-027 Visa Public 3 ----- Visa Payment Fraud Disruption # Skimming Malware The skimming payload decrypts to JavaScript written to resemble code that would be used to render pages dynamically. The same encryption method as seen with the loader is used for the payload. Once executed, the skimmer captures the payment data from the checkout form. When the skimmer is first loaded, it runs an initialization function that schedules five operations to run: 1. Generate a decryption function to decrypt the list of fields from which the skimmer will steal data (Figure 6). _Figure 6 - Skimmer Initialization_ 2. Skim the targeted fields every 100 milliseconds. When the attacker generates the skimming script for a victim, they specify which fields are targeted (Figure 7). This list of field names decrypts on-demand every 100ms when the skimmer runs. This function sets a flag called ‘this.rendered’ to indicate that data has been captured and stored in memory for exfiltration. 3. Check if the skimmer found data (e.g. ‘this.rendered’ is True) every 100 milliseconds. This function then calls for data exfiltration and sets a flag called ‘this.load’ indicating the skimmer successfully exfiltrated data. _Figure 7 - Encrypted list of field names for the skimmer to target_ 4. Check if the script should send data to the exfiltration gateway every 3 seconds. If the captured data flag is set, the exfiltration gateway URL is decrypted using the current victim merchant’s domain name as the key. The script then encodes the skimmed data into the GET parameters of the exfiltration URL. This URL resembles a link to an image, but no image exists at the location. The malware then adds an image tag that links the exfiltration URL to the merchant’s webpage resulting in a request being sent to the malicious URL with the stolen data attached and removes it after 3 seconds to avoid detection (Figure 8). PFD-20-027 Visa Public 4 _Figure 6 - Skimmer Initialization_ ----- Visa Payment Fraud Disruption _Figure 7 - Exfiltration code_ 5. The last operation that is scheduled is a clean-up function. If data is exfiltrated, the clean-up function removes the entire skimming code from memory to avoid detection (Figure 9). _Figure 8 - Clean-up Function_ PFD-20-027 Visa Public 5 _Figure 8 - Clean-up Function_ ----- Visa Payment Fraud Disruption # Unique Obfuscation To further prevent detection, Baka uses an XOR cipher to encrypt hard-coded values and obfuscate the skimming code delivered by the C2. While the use of an XOR cipher is not new, this is the first time Visa has observed its use in JavaScript skimming malware. The developer of this malware kit uses the same cipher function in the loader and the skimmer. Figure 10 shows the decryption function from one of the skimmer payloads. The displayed code creates a decryption function primed with a supplied key. The malware uses various values throughout, including the current domain the malware is running on, the random number generated in the loader, and the hardcoded value, “preProcessingPage”. The returned decryption function expects a hexadecimal string as input and works as follows: 1. The decryption function splits the string into a list of two character strings 2. The function then parses each two character string as a hexadecimal number and converts it into an integer 3. The resulting integers are decrypted using the key supplied when creating the decryption function 4. Finally, the function converts the integers to characters, resulting in the original plaintext _Figure 9 – XOR Cipher_ # Indicators of Compromise Visa observed the following domain names hosting the Baka skimmer. **Domain Names** jquery-cycle[.]com b-metric[.]com apienclave[.]com quicdn[.]com apisquere[.]com ordercheck[.]online pridecdn[.]com PFD-20-027 Visa Public 6 ----- Visa Payment Fraud Disruption # Best practices and mitigation measures - **Institute recurring checks in eCommerce environments for communications with the C2s.** - **Ensure familiarity and vigilance with code integrated into eCommerce environments via** service providers. - **Closely vet utilized Content Delivery Networks (CDN) and other third-party resources.** - **Regularly scan and test eCommerce sites for vulnerabilities or malware. Hire a trusted** professional or service provider with a reputation of security to secure the eCommerce environment. Ask questions and require a thorough report. Trust, but verify the steps taken by the company you hire. - **Regularly ensure shopping cart, other services, and all software are upgraded or patched** to the latest versions to keep attackers out. Set up a Web Application Firewall to block suspicious and malicious requests from reaching the website. There are options that are free, simple to use, and practical for small merchants. - **Limit access to the administrative portal and accounts to those who need them.** - **Require strong administrative passwords (use a password manager for best results) and** enable two-factor authentication. - **Consider using a fully hosted checkout solution where customers enter their payment** details on another webpage hosted by that checkout solution, separate from the merchant’s site. This is the most secure way to protect the merchant and their customers from eCommerce skimming malware. - **Implement Best Practices for Securing eCommerce as outlined by the** [PCI Security](https://www.pcisecuritystandards.org/pdfs/best_practices_securing_ecommerce.pdf) [Standards Council.](https://www.pcisecuritystandards.org/pdfs/best_practices_securing_ecommerce.pdf) - **Refer to Visa’s** [What to do if Compromised (WTDIC) document,](https://usa.visa.com/dam/VCOM/download/merchants/cisp-what-to-do-if-compromised.pdf) published October 2019. **_Disclaimer:_** _This report is intended for informational purposes only and should not be relied upon for operational, marketing, legal,_ _technical, tax, financial or other advice. Visa is not responsible for your use of the information contained in this report_ _(including errors, omissions, or non-timeliness of any kind) or any assumptions or conclusions you may draw from it._ _All Visa Payment Fraud Disruption Situational Intelligence Assessment content is provided for the intended recipient_ _only, and on a need-to-know basis. PFD reporting and intelligence are intended solely for the internal use of the_ _individual and organization to which they are addressed. Dissemination or redistribution of PFD products without_ _express permission is strictly prohibited._ PFD-20-027 Visa Public 7 -----