Listen to this Post
2025-02-04
In a recent investigation by Jscrambler, a major web skimmer campaign has been discovered, affecting several websites, including Casio UK (casio.co.uk). The researchers have confirmed that at least 17 websites have been compromised, although the number may increase as further investigations unfold. The attackers likely exploited vulnerabilities in Magento e-stores, with the skimmer being active on Casio UK’s website for a short period in mid-January 2025. The threat was detected on January 28, 2025, and Casio UK took swift action, removing the malicious code from its site within 24 hours.
What’s unique about this attack is that, unlike typical web skimmer campaigns that target checkout pages, the attackers placed the skimmer on all pages except for the checkout page. The skimmer was visible on the homepage without obfuscation, making it easier to detect. It used an asynchronous script loader that pulled the malicious script, but once the skimmer was loaded, it removed itself from the page. However, the attack wasn’t just about stealing payment details; it was a more complex, layered strategy involving data encryption and a fake payment form that stole users’ personal and payment information.
What Undercode Says:
The Casio UK web skimmer incident is a textbook example of how attackers are constantly evolving their techniques to bypass security mechanisms and exfiltrate sensitive data. What stands out in this particular attack is the use of a multi-layered strategy, combining straightforward script injections with advanced techniques such as AES-256-CBC encryption and XOR-based obfuscation. These methods are designed to make the skimmer harder to detect and analyze, creating a sophisticated web skimming attack.
The fact that the attackers used an unobfuscated loader on the homepage is noteworthy. By doing so, they bypassed some of the traditional defenses that websites deploy, such as Content Security Policies (CSP). However, this approach may not always be viable, as it leaves the attacker open to detection by security teams who are monitoring such changes. Nevertheless, this skimmer was hidden from immediate view and activated only during the checkout process, which made it a bit more insidious.
Another element worth discussing is the use of the fake 3-step checkout form to steal information. By forcing users to enter their data twice — once into the fake form and then into the legitimate checkout page — the attackers were able to bypass a significant part of the security protocols in place. This “double-entry” strategy is particularly damaging because it reduces the chances of users recognizing the fraudulent attempt.
Moreover, the encrypted data and the unique key generation for each request are critical to understanding how the attackers manage to exfiltrate information undetected. This encryption ensures that even if the stolen data is intercepted during transmission, it remains unreadable without the proper decryption keys. The fact that the data is sent to a server controlled by the attackers further emphasizes the seriousness of this attack.
Casio UK’s security approach was also a contributing factor. Their Content Security Policy was set to “report-only” mode, which means that violations were logged in the browser console rather than triggering immediate action. This is a common mistake among companies, as the CSP is often seen as complex and difficult to manage effectively. As the report points out, many companies opt for a “report-only” mode, thinking it provides a level of protection while reducing management overhead. However, this approach ultimately makes the website more vulnerable to attacks like these.
The
This attack serves as a reminder of how important it is for organizations to have proper security mechanisms in place, especially around their checkout processes. Web skimming is not just an e-commerce issue but a systemic problem that can affect a wide range of industries. Effective monitoring, rapid incident response, and robust security configurations like CSP should be prioritized to avoid such breaches.
In conclusion, while this attack on Casio UK was swiftly contained, it highlights critical weaknesses in the management of website security. As attackers become increasingly sophisticated, it’s vital for businesses to stay ahead of these threats by implementing more rigorous defense mechanisms, such as better Content Security Policies, comprehensive monitoring tools, and automated solutions for script security management. The reality of modern cyber threats means businesses must remain vigilant and proactive to protect their customers’ sensitive data.
References:
Reported By: https://securityaffairs.com/173797/malware/web-skimmer-casio-uks-site.html
https://www.linkedin.com
Wikipedia: https://www.wikipedia.org
Undercode AI: https://ai.undercodetesting.com
Image Source:
OpenAI: https://craiyon.com
Undercode AI DI v2: https://ai.undercode.help
