Casio’s online store hit by bogus credit card stealing checkout form

(Image credit: Shutterstock)

The UK Casio store had malicious scripts installed
The scripts stole credit card and customer information
A fake checkout form was used to steal information

An unknown threat actor installed malicious credit card skimming code into Casio UK’s ecommerce store which reportedly went unnoticed for ten days.

The company has warned customers who made purchases through the casio.co.uk domain between January 14 and 24 may have had their credit card information and customer details stolen.

The attack was discovered by Jscrambler, which notified Casio on January 28 and the malicious code was removed within 24 hours. Jscrambler says that the skimming campaign also targeted 17 other websites.

Magento vulnerabilities

The skimmer likely made its way on to the site via vulnerable components in the Magento webstores, Jscrambler says, and did not use any obfuscation to hide the initial malicious code.

The first skimming script could be found directly from the homepage, and would load a second-state skimmer from a server with a Russian IP address.

Where this skimmer differs from typical attacks is in its execution. Rather than harvesting credit card information from the site’s legitimate checkout screen, this campaign loaded a fake checkout form that collected the customers billing address, email address, phone number, credit card holder's name, credit card number, credit card expiration date, and credit card CVV code.

Details such as these are frequently used in credit fraud and identity theft attacks.

Once this information is entered and the fake ‘Pay Now’ button is clicked, an error is presented to the customer asking them to verify their billing information before redirecting the customer to the legitimate Casio checkout page to continue their purchase.

However, if a customer clicked the ‘buy now’ button rather than ‘add to basket’, the script would not trigger, indicating that the attackers didn’t take much time to refine the skimming flow to also target this payment trigger.

The secondary payload did attempt to obfuscate itself using an encoding technique that has been observed since 2022 that varies parts of its code between the different sites it targets. It also used an XOR-based string concealing technique.

Jscrambler recommends if sites are going to implement Content Security Policy (CSP) protections, they do so to the best of their ability and properly build and maintain the relevant tooling to ensure the CSP works. Alternatively, sites can use automated script security software.

Tata Technologies confirms ransomware attack, says investigation still ongoing
These are the best UK credit monitoring services
Take a look at our guide to the best web browsers

TOPICS

Benedict has been writing about security issues for over 7 years, first focusing on geopolitics and international relations while at the University of Buckingham. During this time he studied BA Politics with Journalism, for which he received a second-class honours (upper division), then continuing his studies at a postgraduate level, achieving a distinction in MA Security, Intelligence and Diplomacy. Upon joining TechRadar Pro as a Staff Writer, Benedict transitioned his focus towards cybersecurity, exploring state-sponsored threat actors, malware, social engineering, and national security. Benedict is also an expert on B2B security products, including firewalls, antivirus, endpoint security, and password management.