Researchers have uncovered a significant web skimming campaign affecting at least 17 websites, including the UK site of the well-known electronics company Casio. The attack, identified by client-side security provider Jscrambler, was first detected on January 28 and is believed to have been made possible by vulnerabilities in e-commerce platforms like Magento. These vulnerabilities were exploited by cybercriminals to inject a sophisticated skimmer into the affected websites, allowing them to intercept sensitive user information. Among the affected websites, Casio’s UK site was one of the notable victims, and the attack likely targeted users who interacted with the cart page.
The skimmer used in this campaign was particularly insidious due to its use of a double-entry skimming method. Rather than simply targeting checkout pages, the malicious script targeted the cart page itself.
Upon clicking the checkout button, users were presented with a fake, multi-step payment form within a pop-up window. This form gathered sensitive information, including billing addresses, contact details, and credit card information. Once users submitted the fake form, they were redirected to the legitimate checkout page where they were forced to re-enter their payment details, effectively allowing the attackers to steal this data twice.
Further investigation revealed that the skimmer’s design employed various evasion techniques to avoid detection. It used a two-stage injection process, with an un-obfuscated initial loader that appeared as a regular third-party script. This loader then injected a more complex, obfuscated second-stage skimmer that employed custom encoding and XOR-based string concealment to hide its true intent. The attackers also used sophisticated encryption methods, including AES-256-CBC, to protect the stolen data before exfiltrating it. Researchers were able to decrypt the exfiltrated data, which included not only credit card details but also names, billing addresses, and other personally identifiable information.
The Casio UK site was actively infected between January 14th and 24th, and once the company was alerted, the attack was resolved within 24 hours. Researchers noted that the Content Security Policy (CSP) used by Casio UK was ineffective in blocking the attack because it was set to “report-only” mode and lacked proper reporting mechanisms. The skimming incident highlights a common problem with CSP configurations: many organizations mistakenly use “report-only” mode, which prevents the effective blocking of malicious scripts. This failure in CSP management allowed the attack to persist for several days before being discovered and mitigated. The researchers emphasized that while CSP is a simple standard, managing it correctly is crucial for preventing such attacks.
Reference: