Introduction
A sophisticated web skimming campaign has compromised the credit card and personal information of visitors to at least 17 organizations, including Casio’s UK subsidiary [1] [5]. This attack utilized advanced malware to target the cart page of e-commerce sites, highlighting significant vulnerabilities in online security measures.
Description
Visitors to at least 17 organizations, including Casio’s UK subsidiary [1] [5], may have had their credit card and personal information stolen by a sophisticated web skimming campaign involving malicious malware. This significant attack specifically targeted the cart page rather than the traditional checkout page, employing deceptive tactics to gather sensitive information from users [3]. The infection on casio.co.uk was active from January 14 to 24, 2025 [5], going undetected for ten days [2], and was remediated by the company on January 28 after being notified by Jscrambler [5]. Attackers exploited known vulnerabilities in the Magento e-commerce software through a two-tier skimming operation [6]. The initial skimmer [5], embedded on the site [6], served as a gateway for a more complex second-stage skimmer hosted on a server controlled by the attackers [6], which was linked to Russian domains.
The second-stage payload employed multiple layers of obfuscation [7], including XOR-based string masking and custom encoding [1], while the initial malicious code did not utilize obfuscation. Victims were misled into a fraudulent payment form designed to capture sensitive information, prompted to provide their email [5], name [2] [5] [6], billing address [1] [2] [4] [7], phone number [2] [4] [5] [7], and credit card details—such as card number, expiration date [2], and CVV code—through a deceptive three-step checkout process.
Characterized as a double-entry skimming attack [5], clicking the “Pay Now” button triggered a fake error message that prompted users to verify their billing information before redirecting them back to the legitimate checkout page, encouraging them to re-enter their information [5]. Notably, if users clicked “buy now” instead of “add to basket,” the fake form was not injected [5], indicating a lack of refinement in the skimming flow [5]. The skimmer encrypted stolen data using AES-256-CBC encryption [7], generating unique keys and initialization vectors for each request [4], and sent the encrypted data to the attackers’ server.
This incident highlights the critical need for properly configured security measures [3], as the Content Security Policy (CSP) in place for Casio UK was set to report-only mode, which failed to block the attack [7]. The challenges companies face in effectively managing CSP often lead to configurations that diminish security benefits. This reflects broader trends in web-skimming operations [4], frequently targeting smaller merchants due to their weaker security measures [4], underscoring critical gaps in e-commerce security that must be addressed to prevent such exploits in the future. E-commerce sites are advised to implement robust CSP protections and maintain the necessary tooling to ensure its effectiveness [2], rather than relying solely on CSP standards.
Conclusion
This incident underscores the urgent need for enhanced security protocols in e-commerce platforms, particularly the implementation of robust Content Security Policies (CSP) and other protective measures. Companies must address the vulnerabilities that allow such sophisticated attacks to occur, focusing on both prevention and rapid detection. As web-skimming operations continue to evolve, it is imperative for businesses to stay ahead of potential threats by regularly updating their security practices and ensuring comprehensive protection for their customers’ sensitive information.
References
[1] https://www.channele2e.com/brief/web-skimming-campaign-hits-several-websites-including-casios-uk-subsidiary
[2] https://www.techradar.com/pro/security/casios-online-store-hit-by-bogus-credit-card-stealing-checkout-form
[3] https://www.hendryadrian.com/double-entry-web-skimming-attack-campaign-hits-17-websites/
[4] https://cybersecuritynews.com/casio-uk-store-hacked/
[5] https://www.infosecurity-magazine.com/news/casio-magento-web-skimmer-campaign/
[6] https://www.purevpn.com/blog/news/casio-uk-e-shop-hacked-customer-credit-cards-stolen/
[7] https://securityaffairs.com/173797/malware/web-skimmer-casio-uks-site.html
