The Casio online store suffers a credit card theft attack through a fake form in the payment process.

An unknown threat actor managed to install credit card skimming malware on Casio's online store in the UK, according to reports. This attack was present on the site for approximately ten days and affected customers who made purchases through the domain casio.co.uk between January 14 and January 24, who may have suffered the theft of their credit card information and other personal data.

The discovery of the attack is attributed to Jscrambler, a cybersecurity company, which alerted Casio about the situation on January 28. Following the notification, the malicious code was removed within 24 hours. Jscrambler also noted that this skimming campaign affected another 17 websites.

The malware appears to have entered the site through vulnerable components of the Magento stores and operated without using obfuscation techniques to hide its initial presence. The first skimming sequence could be found directly on the homepage and loaded a second skimming script from a server with a Russian IP address.

What is characteristic of this attack is its method of execution. Instead of capturing card data on the legitimate checkout screen, the campaign implemented a fake payment form that collected detailed information from customers, including their billing address, email address, phone number, cardholder name, card number, expiration date, and CVV code.

Once users entered this data and clicked the 'Pay now' button, they were presented with an error asking them to verify their billing information before being redirected to the actual Casio payment page to complete their purchase. However, if a customer selected the 'buy now' button instead of 'add to cart,' the script did not activate, indicating that the attackers took time to adjust the skimming flow to encompass this payment trigger.

The second component of the attack attempted to obfuscate itself through a coding technique that has been seen since 2022, which varies parts of its code across the different sites it compromises. It also employed a string concealment technique based on XOR.

Jscrambler suggests that if sites decide to implement Content Security Policies (CSP), they should do so effectively and maintain the right tools to ensure that such policies function correctly. Alternatively, it is recommended to use automated script security software.