Researchers have uncovered a new web skimming attack targeting at least 17 e-commerce sites, including Casio UK's online store, with the malware potentially compromising customers' credit card information.
The security threat, identified by Jscrambler, was active on Casio's UK website between January 14-24, 2025, but was swiftly resolved after the electronics giant was alerted to the issue on January 28.
Fraud detection firm Jscrambler says that the skimming malware was likely introduced through vulnerable components within the Magento e-commerce platform, which powers numerous online retail sites. The attack involved two stages: a skimmer loader that appeared on the homepage of affected websites and a second-stage payload hosted on a Russian server.
The malicious code was designed to capture sensitive payment details. Unlike most skimming attacks that target users when they visit checkout pages, the observed attack utilized a more complex method. When users added items to their carts and attempted to proceed to checkout, the skimmer would activate, presenting them with a fake payment form instead of taking them to the legitimate checkout page.
The fake form initially asked for seemingly innocent details such as the user's name, email address, shipping information, and phone number. After submitting this information, victims were prompted to enter their credit card details, including the card number, expiry date, and CVV. Upon clicking the “Pay Now” button, the skimmer would display an error message instructing the user to verify their billing information.
At this point, the malicious code triggered the exfiltration of the stolen data and redirected victims to the legitimate checkout page, where they would be asked to re-enter their payment information—a tactic known as “double-entry skimming.”
Jscrambler said that the threat actor responsible for the attack likely chose to host the skimming code on a Russian server. Despite the different domains used by the skimming scripts, the same server was used to deliver the second-stage payload for all affected websites.
