Casio UK’s e-shop at casio.co.uk was hacked to embrace malicious scripts that stole bank card and buyer info between January 14 and 24, 2025.
Any prospects who made purchases between these dates might have had their private particulars and bank card knowledge stolen by hackers.
The incident was found by JSCrambler, who notified Casio on January 28. The malicious script was faraway from the Casio UK website inside 24 hours.
JSCrambler says the assault leveraged Magento vulnerabilities and in addition focused 17 different web sites. The opposite firm’s names are being withheld because the researchers work with the affected websites to take away the infections.
Supply: JSCrambler
Operation particulars
From a technical perspective, the assault makes use of a easy first-stage skimmer planted on the web site, which dynamically fetches the second-stage skimmer from a Russian internet hosting supplier (ru-jsciot).
The second stage is obfuscated utilizing customized encoding and XOR-based string concealing to evade detection.
As soon as the sufferer added objects to their digital cart, the skimmer loaded a pretend checkout type as a substitute of directing them to the precise checkout web page, as most skimmers do.
Supply: JSCrambler
The shape wasn’t designed to match Casio UK’s total web site theme, and it will not set off if “buy now” is clicked, indicating an absence of sophistication within the assault.
The malicious type is designed to steal the client’s delicate knowledge, together with billing handle, electronic mail handle, telephone quantity, bank card holder’s title, bank card quantity, bank card expiration date, and bank card CVV code.
After coming into all particulars, the sufferer is offered with a bogus error after which redirected to Casio UK’s authentic checkout web page to finish their order as traditional.
The stolen knowledge is AES-256-CBC encrypted and exfiltrated to the attacker’s server, which, in the entire noticed circumstances, was a Russian IP handle.
Supply: JSCrambler
JSCrambler feedback that Casio had Content material Safety Coverage (CSP) protections in place, which ought to limit malicious script execution on the web site, nevertheless it was configured too loosely.
“Casio UK had a Content Security Policy (CSP) in place, but it was set to report-only mode (Content-Security-Policy-Report-Only) and was not configured to report back any violations (no report-uri or report-to directives),” explains JSCrambler.
“As a result, CSP violations were only logged in the browser console rather than actively preventing the attack.”
Casio’s safety lapses
The Japanese electronics and watchmaking big has had a tough time lately with a number of knowledge breaches and ransomware assaults impacting numerous departments and providers.
Early final month, the corporate admitted that the ransomware assault it suffered in October 2024, claimed by Underground, had uncovered the private knowledge of roughly 8,500 individuals.
Additionally in October, Casio disclosed a separate safety incident the place an attacker accessed the private info of its ClassPad schooling platform prospects from 149 international locations.
