A recent cybersecurity incident has revealed that a web skimmer was deployed on various websites, including the Casio UK site. This malicious activity was identified by researchers from Jscrambler, who discovered that at least 17 websites were compromised. The attackers are believed to have exploited vulnerabilities in Magento e-commerce platforms to execute their campaign.

Casio UK Website Breach

The web skimmer became operational on the Casio UK website between January 14 and January 24, 2025. The threat was detected on January 28th, prompting Jscrambler to alert Casio UK, which swiftly removed the malicious code within 24 hours. Unlike typical skimmer attacks that focus on checkout pages, this campaign placed the skimmer on all pages except the checkout page, with the initial loader being unobfuscated.

Technical Details of the Skimmer

The skimmer's initial loader was easily accessible from the homepage and did not use obfuscation, appearing as a standard third-party script loader. Once loaded, it removed itself from the page. The second-stage skimmer, however, was protected by multiple layers of obfuscation, including custom encoding and XOR-based techniques to evade detection.

  • Skimmer Functionality: The skimmer intercepted checkout clicks, displaying a fake payment form to steal user data.
  • Data Encryption: Stolen data was encrypted using AES-256-CBC, with unique keys and IVs for each request.

Impact and Mitigation

The skimmer targeted users by displaying a fake 3-step checkout form to collect personal and payment details. The attack flow required users to add items to the cart before proceeding to checkout. If users clicked 'buy now' directly, the fake form was not triggered. After data exfiltration, users were redirected to the legitimate checkout page.

Security Measures and Recommendations

Casio UK's website had a Content Security Policy (CSP) in report-only mode, which logged violations in the browser console instead of blocking the attack. All skimmers used in this campaign were sourced from a Russian hosting provider, with some domains being newly registered but having historical records.

  • CSP Challenges: Implementing CSP can be complex, leading companies to opt for report-only modes, reducing effectiveness.
  • Automated Solutions: Companies are encouraged to use automated solutions like Jscrambler's Webpage Integrity for better script security and management.
The link has been copied!