Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Casio Website Infected With Skimmer 

A threat actor has infected Casio UK’s website with a web skimmer on all pages, except the typical checkout page.

A threat actor has infected the website of Casio UK and 16 other victims with a web skimmer that altered the payment flow to harvest and exfiltrate visitors’ information, web security provider Jscrambler reports.

On the electronics company’s UK website, the infection was active between January 14 and January 24, and it was removed last week, immediately after being discovered.

What set the incident apart, Jscrambler says, was that the web skimmer was active on all pages, except for the checkout page, which is the typical target for information stealers.

The attackers infected the website with a skimmer loader that fetched a second-stage skimmer from an attacker-controlled server, and which altered the usual payment flow in a visible manner, albeit without raising visitors’ suspicion.

Unlike skimmers placed on the checkout section to capture the information the user enters there, the web skimmer on Casio UK’s website monitored clicks on the checkout button to show them a fake payment form instead.

The altered payment flow consisted of three steps, where the user was first asked to enter information such as name, full address, email address, and phone number, then showed information on shipping costs, and finally asked to provide credit card details, including number, name, expiration date, and CVV.

Advertisement. Scroll to continue reading.

After completing the form at the third step, the victim was shown a message that they should check the information and try again, and was then redirected to the legitimate checkout page, where they were asked to fill out the same details again.

The attack flow relied on the victim adding items to the cart and then proceeding to checkout. If the user clicked on ‘buy now’ instead, the fake form was not displayed.

According to Jscrambler, the skimmer attack on Casio UK was possible because the website had a content security policy set to report-only, meaning that the events were only logged in the browser console, failing to prevent the attack.

The security firm also discovered that in all 17 infections the skimmer script was loaded from the same hosting provider in Russia, and that the skimmer code was similar between infections, meaning that they were likely created using the same tool.

Related: Thousands Impacted by Casio Data Breach

Related: Google Releases Open Source Library for Software Composition Analysis

Related: ‘YoroTrooper’ Espionage Group Linked to Kazakhstan

Related: Visa Warns of Attack Involving Mix of POS Malware

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing for the latest cybersecurity threats, trends, and expert insights.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this live webinar as we break down why email-layer defenses alone can't keep pace with the modern phishing ecosystem, how agentic AI is changing the capacity equation for security teams, and more.

Register

This year's summit will help organizations learn how to utilize tools, controls, and design models needed to properly secure cloud environments. Interact with leading solution providers and other end users facing similar challenges in securing a variety of cloud deployments.

Register

People on the Move

BlueVoyant has appointed Ravi Subramanian as CFO and Jamie Coleman as CCO.

Solana Foundation has appointed Michael Coates as Chief Information Security Officer.

Michael Sikorski has joined Coinbase as Chief Information Security Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.