A recent investigation has revealed a significant web skimming campaign affecting at least 17 websites, including the UK site of electronics giant Casio. Researchers uncovered these infections, likely stemming from vulnerabilities in Magento or similar e-commerce platforms, and are working to notify all affected parties.
Client-side web security provider, Jscrambler, has published exclusive details about a web skimmer infection that impacted electronic brand Casio’s UK website and 16 additional victims, and detected on January 28.
Researcher Pedro Fortuna with David Alves and Pedro Marrucho, wrote in the blog post, shared with Hackread.com, that the skimmer used a double-entry web skimming attack. Victims reportedly loaded a script from the same Russian hosting provider, suggesting the use of a web skimming toolkit.
Further probing revealed that the skimmer infections likely originated due to vulnerable components in Magento webstores. Some hosting domains had a long history, even 16 years back, suggesting attackers exploited the reputation of older, potentially defunct domains.
Interestingly, unlike typical skimmers that target checkout pages, this one targeted the cart page. It intercepted the checkout button click and presented users with a fake, multi-step payment form within a pop-up window. This form collected sensitive information like names, billing addresses, contact details, and credit card information.
According to researchers’ blog post, after submitting this fake form, users received an error message and were redirected to the legitimate checkout page and forced to enter their payment details twice – a tactic known as double-entry skimming.
Due to a flaw in the skimmer’s design users who clicked “buy now” instead of “add to basket” were not affected. The script, however, displayed a sophisticated detection evasion technique, preventing it from being returned by the skimming server in certain situations, a technique Jscrambler researchers have observed repeatedly.
The attack on Casio UK involved a two-stage skimmer. The initial loader, unusually un-obfuscated, was designed to blend in as a typical third-party script. This loader then injected a more complex, obfuscated second-stage skimmer. This second-stage skimmer employed techniques like custom encoding and XOR-based string concealment to evade detection.
The stolen data was encrypted using AES-256-CBC before exfiltration. Researchers were able to decrypt the data using the key and initialization vector (IV) included in the exfiltration request. The exfiltrated information included a full range of sensitive data, from billing addresses and contact details to complete credit card information.
The Casio UK infection, active between January 14th and 24th, was addressed within 24 hours of the company being alerted. Research revealed that Casio UK’s Content Security Policy (CSP) was ineffective in preventing an attack due to its configuration to report-only mode and lack of proper reporting mechanisms.
“The casio.co.uk skimming incident attests that although Content Security Policy (CSP) is a relatively simple standard, it’s often considered hard to manage. It is easy to make mistakes, which often leads to companies opting for a report only over blocking, which also takes away a significant portion of the benefit,” researchers concluded.