author photo
By Bruce Sussman
Tue | Sep 8, 2020 | 1:09 PM PDT

From time to time, Visa issues cybersecurity alerts as new waves of payment fraud either emerge or surge in various countries around the globe.

Its latest alert is about "Baka," which cybercriminals are using to skim credit card data from customers checking out on websites.

Criminal groups can either use the stolen data themselves or sell the legitimate and current accounts before anyone knows the account numbers are compromised.

Baka card skimming attack is unique

Cybercriminals have all kinds of card skimming tricks up their digital sleeves, and evolve their methods to avoid detection on corporate networks for as long as possible.

And that is part of what makes Baka unique. According to Visa, it uses a first-of-its-kind method of obfuscation seen in card skimming:

"Baka uses an XOR cipher to encrypt hard-coded values and obfuscate the skimming code delivered by the C2. While the use of an XOR cipher is not new, this is the first time Visa has observed its use in JavaScript skimming malware. The developer of this malware kit uses the same cipher function in the loader and the skimmer."

The cipher attempts to hide what is actually happening so the attack is less likely to be detected, or less likely to be understood if it is detected. The C2 mentioned above stands for the "command and control" server involved in the attacks.

And Visa's Payment Fraud Disruption Team (PFD) also shared another key way the Baka malware likes to hide:

"The skimmer loads dynamically to avoid static malware scanners and uses unique encryption parameters for each victim to obfuscate the malicious code. PFD assesses that this skimmer variant avoids detection and analysis by removing itself from memory when it detects the possibility of dynamic analysis with Developer Tools or
when data has been successfully exfiltrated."

12 top ways to defend against Baka and other credit card skimmers

Visa's security alert on the Baka card skimming malware also offers 12 best practices for protecting your organization's website from becoming a card skimming victim.

1. Institute recurring checks in eCommerce environments for communications with the C2s.

2. Ensure familiarity and vigilance with code integrated into eCommerce environments via service providers.

3. Closely vet utilized Content Delivery Networks (CDN) and other third-party resources.

4. Regularly scan and test eCommerce sites for vulnerabilities or malware.

5. Hire a trusted professional or service provider with a reputation of security to secure the eCommerce environment.

6. Ask questions and require a thorough report. Trust, but verify the steps taken by the company you hire.

7. Regularly ensure shopping cart, other services, and all software are upgraded or patched to the latest versions to keep attackers out.

8. Set up a Web Application Firewall to block suspicious and malicious requests from reaching the website. There are options that are free, simple to use, and practical for small merchants.

9. Limit access to the administrative portal and accounts to those who need them.

10. Require strong administrative passwords (use a password manager for best results) and enable two-factor authentication.

11. Consider using a fully hosted checkout solution where customers enter their payment details on another webpage hosted by that checkout solution, separate from the merchant's site. This is the most secure way to protect the merchant and their customers from eCommerce skimming malware.

12. Implement Best Practices for Securing eCommerce as outlined by the PCI Security Standards Council.

Cybercriminals are always evolving, and so are their attacks. However, if you implement these best practices, Visa says you will greatly reduce the risk that your organization will get caught in a card skimming attack.