- LinkedIn gets its own suite of video tools as it grows video presence on platform
- One of my favorite Android smartwatches has a 100-hour battery life - and it's on sale
- Reaching My Ultimate Goal: Cisco Live!
- Four Transformative Trends Shaping HR in 2025
- Surge in Infostealer Attacks Threatens EMEA Organizations
Casio and Others Hit by Magento Web Skimmer Campaign
Visitors to at least 17 e-commerce sites including Casio UK may have had their credit card details stolen by web skimmer malware, researchers have warned.
Jscrambler said that the casio.co.uk infection was active January 14-24, but was remediated by the electronics firm as soon as it was notified about the security snafu on January 28.
The security vendor claimed that the skimmers were likely loaded by exploiting vulnerable components in the Magento e-commerce software used to run the sites.
An initial skimmer loader, which could be found straight from the homepage, fetched a second-stage skimmer from a Russian hosting provider. The same host was used for all victims, even though some of the skimmer domains differed, Jscrambler said.
Read more on digital skimming attacks: Supply Chain Web Skimming Attacks Hit Dozens of Sites
The second-stage payload was obfuscated in a fairly rudimentary way, via a custom technique “used since at least 2022 by web-skimming threat actors,” as well as an “XOR-based string concealing technique.”
Rather than direct victims to the website’s checkout page to harvest their card details, as per most skimming attacks, the malicious code in this case follows a different model.
“The threat actor expects users to first add items to their carts and then go to the cart page ‘/checkout/cart’ to check out and pay,” Jscrambler explained.
“In the cart page, the skimmer then captures clicks on the ‘checkout’ button, and instead of the user being taken to the /checkout page, it is presented with a fake payment form using a model window, asking for their personal details. This is, at first, a seemingly unsuspicious three-step form, with field validation and transitioning loading screens.”
Victims will first be asked to fill in their email, first/last name, address, city, country, postcode and phone number, before being presented with some details on shipping costs. After clicking on “continue” they’ll get another page of the payment form to insert their credit card number, name, expiry date and CVV.
Double-Entry Skimming
Clicking the “Pay now” button then triggers a JavaScript alert message saying, “Please verify your billing information and try again,” according to the researchers.
“After clicking OK, the skimmer triggers the exfiltration process and redirects users to the legitimate ‘/checkout’ page, asking them to fill in the exact details again. This is known in the PCI DSS v4 world as a double-entry skimming attack,” they added.
“One funny bit, though, is that if users click ‘buy now’ instead of ‘add to basket,’ the fake form is not injected, as it does not match the flow that the skimming code expects. This is a sign that web skimming threat actors do not spend much time perfecting their skimming flows.”
Rather than rely on the time- and labor-intensive Content Security Policy (CSP) standard to protect their sites, e-tailers would do better to install “easy-to-use, quickly deployable website monitoring solutions” to detect and remove any skimming infections, Jscrambler concluded.
Image credit: Vladimir Razgulyaev / Shutterstock.com
