Casio UK site compromised, equipped with web skimmer
Japanese electronics maker Casio has had its UK website injected with a web skimmer that collected buyers’ personal and payment card information, Jscrambler has discovered.
The company says that the same skimmer has been added to at least seventeen (and possibly more) websites, but refrained from disclosing the names.
“All the victims were loading a skimmer script from the same hosting provider in Russia. It was also observed that even though the skimming domains could differ between victims, the skimmer code itself (the generic part) was, on various occasions, pretty similar, suggesting that they could’ve been created by the same web skimming generation tool whether that means that the activity is coming from a single web skimming threat actor or not, that can not be concluded yet,” researcher Pedro Fortuna has shared.
The compromise
Jscrambler believes that the sites have been compromised by exploiting vulnerable components installed in Magento webstores.
“Typically, skimmers purposely limit their activity to the checkout section of victim websites, where users enter their personal and payment data. However, this attack deviated from that pattern, as the skimmer was active on all pages except the “/checkout” page,” the company noted.
“The reason for that odd behavior has to do with a change to the usual payment flow. The threat actor expects users to first add items to their carts and then go to the cart page ‘/checkout/cart’ to check out and pay. In the Cart page, the skimmer then captures clicks on the ‘checkout’ button, and instead of the user being taken to the /checkout page, it is presented with a fake payment form using a model window, asking for their personal details.”
After the victims entered and submitted their personal, contanct and payment info, the skimmer encrypted it and sent it to the crooks. The victims were shown a fake error message, urging them to repeat the process on the site’s actual checkout page.
The fake error message shown by the skimmer (Source: JScrambler)
“The UI changes, especially the error that was being displayed and the fact that the user is asked to input the payment details twice should really be a good indicator for most people to suspect that something might be wrong. However, the fact that threat actors continue to do it in a seemingly sloppy way is a good indicator that most end users are not able to tell that they are being attacked and, therefore, are not sounding the alarm,” Fortuna added.
According to Jscrambler, the web skimmer became active on the Casio UK site sometime between January 14th and 24th, and they detected it on January 28. Casio UK removed the skimmer less than 24 hours later.
While the site has a Content Security Policy (CSP) in place, it had not been configured to report back any violations and thus did not prevent the attack, they concluded.