Casio UK Web Store Hacked to Inject Customer Credit Card Stealing Scripts

A sophisticated web-skimming campaign targeting multiple websites, including the UK online store of electronics giant Casio (casio[.]co.uk).

The attack, which exposed sensitive customer data, highlights ongoing vulnerabilities in e-commerce platforms and the evolving tactics of cybercriminals.

The breach on casio.co.uk was traced back to a malicious web skimmer script that became active between January 14th and 24th.

Jscrambler Researchers detected the threat on January 28th and promptly notified Casio UK, which managed to remove the infection within 24 hours.

However, during the period of activity, the skimmer harvested sensitive customer information, including billing addresses, credit card details, phone numbers, and email addresses.

Unlike traditional skimmers that operate primarily on checkout pages, this attack deviated from the norm. The malicious script was active on all pages except the “/checkout” page.

Instead, it intercepted user interactions on the cart page and redirected customers to a fake payment form designed to mimic legitimate processes. This three-step form collected personal and payment details before exfiltrating the data to a command-and-control server hosted in Russia.

Credit Card Stealing Scripts

The skimmer employed multiple layers of obfuscation to evade detection:

• Custom Encoding: Variables and strings were uniquely encoded for each victim.
• XOR-Based Concealment: Strings were concealed using XOR encryption to bypass static analyzers and web application firewalls (WAFs).

The exfiltration process used AES-256-CBC encryption with randomly generated keys and initialization vectors (IVs) for each request. The stolen data was transmitted to domains such as app[.]imagechat[.]net, which was linked to servers in Russia.

Interestingly, the skimmer did not activate if users clicked “buy now” instead of “add to basket,” indicating that the attackers had not fully refined their malicious code, reads the report.

While Casio UK had implemented a Content Security Policy (CSP), it was set to “report-only” mode without active enforcement or reporting directives.

This configuration allowed CSP violations to be logged in browser consoles but failed to block malicious scripts. Experts noted that this is a common issue among organizations due to the complexity of managing CSP effectively.

The Casio.co.uk breach is part of a larger campaign affecting at least 17 websites running vulnerable components on Magento or similar e-commerce platforms. All affected sites loaded skimmer scripts from domains hosted by a single Russian provider. Some of these domains had been registered recently but leveraged reputations from historical records dating back over a decade.

This attack is indicative of broader trends in web-skimming operations, often referred to as Magecart attacks. Smaller merchants are frequently targeted due to weaker security measures. The use of defunct or aged domains further complicates detection efforts.

The incident underscores critical gaps in e-commerce security:

1. Ineffective CSP Implementation: Organizations must move beyond report-only CSP configurations and adopt automated solutions for script security.
2. User Awareness: While visible UI anomalies in this attack could have alerted users, most end-users lack the expertise to identify such threats.
3. Proactive Monitoring: Deploying advanced website monitoring tools is essential for detecting and removing infections promptly.

Here is a table summarizing the Indicators of Compromise (IoC) related to the Casio UK skimming attack:

This table highlights the malicious domains, their associated IP addresses, and hosting details, which can be used for threat intelligence and mitigation efforts.

Are you from SOC/DFIR Teams? – Analyse Malware Files & Links with ANY.RUN Sandox -> Start Now for Free.

The post Casio UK Web Store Hacked to Inject Customer Credit Card Stealing Scripts appeared first on Cyber Security News.