Full Report
Casio UK's e-shop at casio.co.uk was hacked to include malicious scripts that stole credit card and customer information between January 14 and 24, 2025. [...]
Analysis Summary
# Incident Report: Casio UK E-commerce Card Skimming Incident
## Executive Summary
The Casio UK official online store was compromised through a digital skimming attack, where attackers injected malicious JavaScript code onto the checkout pages. This allowed them to capture sensitive customer payment card details in real-time as they were entered by users. The incident's primary impact was a data breach involving credit/debit card information from unsuspecting customers. The response involved collaboration with security researchers to identify and remove the malicious script.
## Incident Details
- **Discovery Date:** Not explicitly stated, implied shortly after the compromise began or through external research.
- **Incident Date:** Occurred during processing transactions on the Casio UK online store.
- **Affected Organization:** Casio UK (Official Online Store)
- **Sector:** E-commerce/Retail
- **Geography:** United Kingdom (UK)
## Timeline of Events
### Initial Access
- **Date/Time:** Unknown.
- **Vector:** Likely exploitation of a vulnerability in the web application or third-party script library used on the checkout pages (a common form of Magecart/digital skimming).
- **Details:** Attackers injected a malicious JavaScript file onto the payment processing pages.
### Lateral Movement
- Not applicable; this was a direct page injection attack focused on the point of transaction capture.
### Data Exfiltration/Impact
- **Data Stolen:** Customer credit card data, including Primary Account Number (PAN), cardholder name, expiration date, and CVV.
- **Impact:** Direct theft of financial data during online checkouts.
### Detection & Response
- **Detection:** The compromise was identified through external security research/reporting/monitoring of suspicious activity on the site's payment form.
- **Response Actions:** Casio UK worked to quickly remove the malicious script responsible for skimming the payment data.
## Attack Methodology
- **Initial Access:** Injection of malicious code (likely cross-site scripting variant or direct file modification on the server hosting the payment page scripts).
- **Persistence:** Maintaining the presence of the malicious JavaScript on the checkout pages.
- **Privilege Escalation:** Not explicitly detailed, but implies the attacker gained sufficient access to modify front-end web assets.
- **Defense Evasion:** The script likely targeted the client-side transaction phase, attempting to send data to an external server without being easily detected by standard server-side transaction monitoring.
- **Credential Access:** Theft of payment card details (PAN, CVV, Name, Expiry) directly from the browser session during form submission.
- **Discovery:** Not applicable (attacker-side activity).
- **Lateral Movement:** Not applicable.
- **Collection:** Real-time capture of form field data entered by the customer.
- **Exfiltration:** Transmission of captured data to external attacker-controlled infrastructure.
- **Impact:** Financial data theft.
## Impact Assessment
- **Financial:** Potential costs related to investigation, remediation, customer notification, and potential regulatory fines. Direct loss to customers.
- **Data Breach:** Exposure of credit/debit card numbers and associated details for all customers who made purchases during the compromise window.
- **Operational:** Short-term disruption to handle the incident and communicate with customers.
- **Reputational:** Damage to customer trust in the security of the Casio UK online platform.
## Indicators of Compromise
- **Network Indicators:** Unknown specific C2 domains/IPs (must be defanged), but expected to be external domains hosting the malicious JavaScript payload.
- **File Indicators:** Malicious JavaScript file(s) loaded onto the payment pages.
- **Behavioral Indicators:** Unauthorized scripts executing on the checkout page that communicate with external infrastructure during form submission events.
## Response Actions
- **Containment:** Identifying and immediately removing the injected malicious JavaScript code responsible for skimming.
- **Eradication:** Reviewing the web application environment (especially files related to the checkout functionality) to ensure all malicious code was removed and backdoors closed.
- **Recovery:** Restoring legitimate checkout functionality and monitoring the affected pages closely for recurrence. Notifying affected customers about the necessity to monitor their statements.
## Lessons Learned
- **Key Takeaways:** Reliance on third-party scripts and ensuring the integrity of front-end code, especially during payment processing, is critical. Server-side validation of payment data (which occurs *after* the client-side script has captured it) is essential, but insufficient for preventing client-side theft.
- **What could have been done better:** Implementation of Subresource Integrity (SRI) checks for external scripts and enhanced Web Application Firewalls (WAFs) with strong Content Security Policies (CSP) to restrict where scripts can connect.
## Recommendations
- Implement a strict Content Security Policy (CSP) that whitlists only trusted domains for script sources, preventing unauthorized data exfiltration.
- Enhance Client-Side Security: Regularly audit all JavaScript files on payment pages, possibly using specialized security monitoring services (like those that detect digital skimming attempts).
- PCI DSS Compliance Review: Conduct an immediate and thorough review to ensure all CDE handling meets stringent standards, particularly regarding client-side browser security.
- Multi-factor authentication/verification for all file system and database changes affecting public-facing web applications.