A threat actor has infected the website of Casio UK and 16 other victims with a web skimmer that altered the payment flow to harvest and exfiltrate visitors’ information, web security provider Jscrambler reports.
On the electronics company’s UK website, the infection was active between January 14 and January 24, and it was removed last week, immediately after being discovered.
What set the incident apart, Jscrambler says, was that the web skimmer was active on all pages, except for the checkout page, which is the typical target for information stealers.
The attackers infected the website with a skimmer loader that fetched a second-stage skimmer from an attacker-controlled server, and which altered the usual payment flow in a visible manner, albeit without raising visitors’ suspicion.
Unlike skimmers placed on the checkout section to capture the information the user enters there, the web skimmer on Casio UK’s website monitored clicks on the checkout button to show them a fake payment form instead.
The altered payment flow consisted of three steps, where the user was first asked to enter information such as name, full address, email address, and phone number, then showed information on shipping costs, and finally asked to provide credit card details, including number, name, expiration date, and CVV.
After completing the form at the third step, the victim was shown a message that they should check the information and try again, and was then redirected to the legitimate checkout page, where they were asked to fill out the same details again.
The attack flow relied on the victim adding items to the cart and then proceeding to checkout. If the user clicked on ‘buy now’ instead, the fake form was not displayed.
According to Jscrambler, the skimmer attack on Casio UK was possible because the website had a content security policy set to report-only, meaning that the events were only logged in the browser console, failing to prevent the attack.
The security firm also discovered that in all 17 infections the skimmer script was loaded from the same hosting provider in Russia, and that the skimmer code was similar between infections, meaning that they were likely created using the same tool.
Related: Thousands Impacted by Casio Data Breach
Related: Google Releases Open Source Library for Software Composition Analysis
