Visa is warning e-commerce merchants about recently discovered skimming malware that is able to avoid detection by “removing itself from memory when it detects the possibility of dynamic analysis with Developer Tools or when data has been successfully exfiltrated.”
The credit card-stealing script was found in "several merchant websites across multiple global regions," the alert warned. It’s unclear exactly how widespread the threat from Baka is at this time, according to Visa. Visa’s Payment Fraud Disruption (PFD) group said it uncovered the so-called “Baka” skimmer in February during analysis of a command and control server associated with the ImageID variant. PFD found seven servers hosting the Baka skimming kit at that time.
“The Baka skimming kit’s advanced design indicates it was created by a skilled developer”
“While the skimmer itself is basic and contains the expected features offered by many e-commerce skimming kits (e.g., data exfiltration using image requests and configurable target form fields), the Baka skimming kit’s advanced design indicates it was created by a skilled developer,” said Visa in a statement on Baka.
In order to best mitigate the threat from Baka, Visa makes several recommendations, including instituting recurring checks in e-commerce environments for communications with the C2s and ensuring familiarity and vigilance with code integrated into e-commerce environments via service providers.