- The UK Casio store had malicious scripts installed
- The scripts stole credit card and customer information
- A fake checkout form was used to steal information
An unknown threat actor installed malicious credit card skimming code into Casio UK’s ecommerce store which reportedly went unnoticed for ten days.
The company has warned customers who made purchases through the casio.co.uk domain between January 14 and 24 may have had their credit card information and customer details stolen.
The attack was discovered by Jscrambler, which notified Casio on January 28 and the malicious code was removed within 24 hours. Jscrambler says that the skimming campaign also targeted 17 other websites.
Magento vulnerabilities
The skimmer likely made its way on to the site via vulnerable components in the Magento webstores, Jscrambler says, and did not use any obfuscation to hide the initial malicious code.
The first skimming script could be found directly from the homepage, and would load a second-state skimmer from a server with a Russian IP address.
Where this skimmer differs from typical attacks is in its execution. Rather than harvesting credit card information from the site’s legitimate checkout screen, this campaign loaded a fake checkout form that collected the customers billing address, email address, phone number, credit card holder’s name, credit card number, credit card expiration date, and credit card CVV code.
Details such as these are frequently used in credit fraud and identity theft attacks.
Once this information is entered and the fake ‘Pay Now’ button is clicked, an error is presented to the customer asking them to verify their billing information before redirecting the customer to the legitimate Casio checkout page to continue their purchase.
However, if a customer clicked the ‘buy now’ button rather than ‘add to basket’, the script would not trigger, indicating that the attackers didn’t take much time to refine the skimming flow to also target this payment trigger.
The secondary payload did attempt to obfuscate itself using an encoding technique that has been observed since 2022 that varies parts of its code between the different sites it targets. It also used an XOR-based string concealing technique.
Jscrambler recommends if sites are going to implement Content Security Policy (CSP) protections, they do so to the best of their ability and properly build and maintain the relevant tooling to ensure the CSP works. Alternatively, sites can use automated script security software.
Leave a comment