Casio’s online store hit by bogus credit card stealing checkout form

Threat actors injected code into the Casio site. When you purchase through links on our site, we may earn an affiliate commission. Here’s how it works. An unknown threat actor installed malicious credit card skimming code into Casio UK’s ecommerce store which reportedly went unnoticed for ten days. The company has warned customers who made purchases through the casio.co.uk domain between January 14 and 24 may have had their credit card information and customer details stolen.

The attack was discovered by Jscrambler, which notified Casio on January 28 and the malicious code was removed within 24 hours. Jscrambler says that the skimming campaign also targeted 17 other websites. Get Incogni at 55% off with code TECHRADAR. Remove your personal information from the internet with ease. Incogni protects your online. identity and reduces unwanted robocalls and spam emails. The skimmer likely made its way on to the site via vulnerable components in the Magento webstores, Jscrambler says, and did not use any obfuscation to hide the initial malicious code.

The first skimming script could be found directly from the homepage, and would load a second-state skimmer from a server with a Russian IP address. Where this skimmer differs from typical attacks is in its execution. Rather than harvesting credit card information from the site’s legitimate checkout screen, this campaign loaded a fake checkout form that collected the customers billing address, email address, phone number, credit card holder's name, credit card number, credit card expiration date, and credit card CVV code.

Details such as these are frequently used in credit fraud and identity theft attacks. Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!. Once this information is entered and the fake ‘Pay Now’ button is clicked, an error is presented to the customer asking them to verify their billing information before redirecting the customer to the legitimate Casio checkout page to continue their purchase.

However, if a customer clicked the ‘buy now’ button rather than ‘add to basket’, the script would not trigger, indicating that the attackers didn’t take much time to refine the skimming flow to also target this payment trigger. The secondary payload did attempt to obfuscate itself using an encoding technique that has been observed since 2022 that varies parts of its code between the different sites it targets. It also used an XOR-based string concealing technique.

Jscrambler recommends if sites are going to implement Content Security Policy (CSP) protections, they do so to the best of their ability and properly build and maintain the relevant tooling to ensure the CSP works. Alternatively, sites can use automated script security software. Benedict has been writing about security issues for over 7 years, first focusing on geopolitics and international relations while at the University of Buckingham. During this time he studied BA Politics with Journalism, for which he received a second-class honours (upper division), then continuing his studies at a postgraduate level, achieving a distinction in MA Security, Intelligence and Diplomacy. Upon joining TechRadar Pro as a Staff Writer, Benedict transitioned his focus towards cybersecurity, exploring state-sponsored threat actors, malware, social engineering, and national security. Benedict is also an expert on B2B security products, including firewalls, antivirus, endpoint security, and password management.

Please logout and then login again, you will then be prompted to enter your display name. Millions at risk as malicious PDF files designed to steal your data are flooding SMS inboxes - how to stay safe. Help! We're drowning in email spam, it's about to get worse and there's nothing we can do to stop it. Microsoft quietly removed its instructions for installing Windows 11 on an unsupported PC – is this something to do with the 24H2 update?.