Visa Warns of E-Commerce Skimmer Threat

The JavaScript skimmer can avoid static malware scanners and creates unique URLs for each victim.

August 31, 2020

NEW YORK—Visa last week issued a data security bulletin warning retailers of an e-commerce skimmer first identified in February on several merchant websites worldwide, and the credit card firm offered businesses advice on best practices and mitigation measures to reduce the threat of a data breach.

Visa said the previously unknown skimmer, which it named Baka, “loads dynamically to avoid static malware scanners and uses unique encryption parameters for each victim to obfuscate the malicious code.” Visa said the “skimmer variant avoids detection and analysis by removing itself from memory when it detects the possibility of dynamic analysis with developer tools or when data has been successfully exfiltrated.”

Visa has identified seven domain names hosting the Baka skimmer: jquery-cycle[.]com; b-metric[.]com; apienclave[.]com; quicdn[.]com; apisquere[.]com; ordercheck[.]online and pridecdn[.]com.

Visa’s best practices and mitigation measures include: 

  • Institute recurring checks in e-commerce environments for communications with the C2s.
  • Ensure familiarity and vigilance with code integrated into e-commerce environments via service providers.
  • Closely vet utilized Content Delivery Networks (CDN) and other third-party resources.
  • Regularly scan and test e-commerce sites for vulnerabilities or malware. Hire a trusted professional or service provider with a reputation of security to secure the e-commerce environment. Ask questions and require a thorough report. Trust, but verify the steps taken by the company you hire.
  • Regularly ensure shopping cart, other services, and all software are upgraded or patched to the latest versions to keep attackers out. Set up a web application firewall to block suspicious and malicious requests from reaching the website. There are options that are free, simple to use, and practical for small merchants.
  • Limit access to the administrative portal and accounts to those who need them.
  • Require strong administrative passwords (use a password manager for best results) and enable two-factor authentication.
  • Consider using a fully hosted checkout solution where customers enter their payment details on another webpage hosted by that checkout solution, separate from the merchant’s site.
  • Implement best practices for securing e-commerce.
  • Refer to Visa’s What to Do if Compromised (WTDIC) document, published October 2019.

Earlier this year, NACS Daily published a three-part series on data security. Read the first installment, “Under Siege: Cybercriminals Target C-Stores,” here, the second installment, “To Prevent Cyberattacks, Minimize IT Vulnerabilities,” here and the third installment, “Remediating Cyberattacks Requires a Team Effort,” here.

For more information on data security and standards, visit