Researchers recently uncovered a significant web skimming campaign that targeted at least 17 websites, including the UK site of the well-known electronics company Casio. The attack, which was detected by client-side security provider Jscrambler on January 28, exploited vulnerabilities in popular e-commerce platforms like Magento. This allowed cybercriminals to inject a sophisticated skimmer into the affected websites, enabling them to intercept sensitive user information. Among the victims of this attack, Casio’s UK website stood out, with the attackers focusing on users interacting with the cart page.
What made this skimming campaign particularly insidious was the use of a double-entry skimming method. Instead of just targeting checkout pages, the malicious script infiltrated the cart page itself. When users clicked the checkout button, they were presented with a fake, multi-step payment form in a pop-up window. This form collected crucial details such as billing addresses, contact information, and credit card data. After users submitted the counterfeit form, they were redirected to the authentic checkout page, where they had to re-enter their payment information, essentially allowing the attackers to steal the data twice.
Further investigation into the skimmer’s design revealed the use of various evasion techniques to avoid detection. The skimmer implemented a two-stage injection process, starting with an un-obfuscated initial loader disguised as a regular third-party script. This loader then introduced a more intricate, obfuscated second-stage skimmer that utilized custom encoding and XOR-based string concealment to mask its true purpose. Additionally, the attackers employed advanced encryption methods, such as AES-256-CBC, to safeguard the stolen data before extracting it. Researchers managed to decrypt the exfiltrated data, which encompassed not only credit card details but also names, billing addresses, and other personally identifiable information.
The attack on the Casio UK website occurred between January 14th and 24th, and once alerted, the company swiftly resolved the issue within 24 hours. Despite using a Content Security Policy (CSP), the effectiveness of Casio UK’s security measures was hindered because the CSP was operating in a “report-only” mode and lacked proper reporting mechanisms. This incident underscored a common flaw in CSP configurations, as many organizations mistakenly opt for “report-only” mode, which hinders the blocking of malicious scripts. Consequently, the attack persisted for several days before being detected and mitigated. Researchers stressed the importance of correctly managing CSP to prevent such cyberattacks effectively.
In conclusion, the web skimming campaign that targeted the Casio UK website and other e-commerce platforms highlights the ever-present threat of cybercriminals exploiting vulnerabilities in online systems. It serves as a reminder for organizations to prioritize robust security measures, including proper CSP configurations, to safeguard sensitive user data and mitigate the risk of data breaches. Cybersecurity remains a critical aspect of modern business operations, and proactive measures are essential to combat evolving threats in the digital landscape.