In early February 2025, reports emerged of a sophisticated web skimming attack that compromised the UK website of electronics manufacturer Casio, and at least 16 other ecommerce sites. This Magecart-style breach led to the theft of customers’ personal and payment information, highlighting the persistent threat of digital skimming to online retailers.
Image Source: Casio UK Website
What is a Web Skimming Attack?
Web skimming, also known as formjacking or Magecart attacks, involves injecting malicious JavaScript code into websites, particularly ecommerce platforms, to steal sensitive user data during transactions. Attackers typically target payment pages to capture information such as credit card numbers, billing addresses, and contact details. This intercepted data is then transmitted to external servers controlled by the attackers and sold on the dark web.
Attack Analysis
Unlike traditional skimming attacks that focus solely on checkout pages, this incident employed a two-stage skimmer active across all website pages except the checkout page. The attackers exploited known vulnerabilities in the Magento ecommerce platform, executing a two-tier skimming operation that allowed them to exfiltrate data stealthily.
The initial stage involved an unobfuscated loader disguised as a legitimate third-party script. This script acted as a gateway for the secondary payload. This loader then triggered a more advanced skimmer that was deployed to encrypt and exfiltrate sensitive data, including contact information, credit card details, and billing addresses. To avoid detection, the attackers used XOR-based string masking and custom encoding techniques, making the malicious script harder to identify.
The skimmer was active on Casio UK’s website from January 14th to 24th, 2025, remaining undetected for ten days. Casio remediated the issue on January 28th, 2025, after being alerted to the breach. However, the total number of affected customers remains unknown.
Preventative Measures
To mitigate the risk of web skimming attacks, ecommerce businesses should implement the following security measures:
- Regular Security Audits: Conduct frequent vulnerability assessments and penetration testing to identify and resolve potential security gaps.
- Third-Party Script Management: Carefully vet and continuously monitor third-party scripts and services to prevent unauthorized code injections.
- Content Security Policy (CSP): Enforce a strict CSP to limit the execution of unauthorized scripts, reducing the risk of code injection attacks.
- Magecart Detection: Deploy advanced monitoring solutions that can detect and block unauthorized scripts in real time, ensuring a rapid response to security threats.
The Casio UK breach underscores the growing sophistication of web skimming attacks and the need for proactive cybersecurity measures to protect consumer data. As threat actors continue to evolve their techniques, ecommerce businesses must stay vigilant and prioritise security to safeguard customer trust and financial information.
