A web skimming campaign has targeted multiple websites, including Casio UK, in a sophisticated double-entry attack. Security firm Jscrambler discovered that at least 17 websites were compromised, with the attack on Casio UK lasting from January 14th to January 24th. The threat actor installed a web skimmer on all pages except the checkout page. This skimmer altered the usual payment flow, manipulating the user into entering sensitive information such as name, address, email, phone number, and credit card details into a fake payment form.
The double-entry technique involved an unobfuscated loader that fetched a second-stage skimmer from an attacker-controlled server. This skimmer encrypted and exfiltrated sensitive customer information, including contact information, credit card details, and billing addresses, concealing malicious activity through XOR-based string masking and custom encoding. After completing the fake form, victims were redirected to the legitimate checkout page, where they were asked to fill out the same details again. Jscrambler noted that Casio UK's website had a content security policy set to report-only, which logged events but failed to prevent the attack.