Casio UK’s online store was breached between 14 and 24 January 2025, it has emerged, resulting in the exposure of personal and financial information of customers who made purchases during this time. The attack involved malicious scripts placed on the website, which were designed to capture sensitive data, including credit card details. Customers who interacted with the site during this period may have had their information compromised.
The breach was discovered by cybersecurity firm JSCrambler, which informed Casio about the issue on 28 January. Upon receiving the notification, Casio is said to have moved quickly to remove the malicious code from its e-commerce platform. The compromised script was eliminated within 24 hours of its detection.
JSCrambler revealed that the attack exploited vulnerabilities in the Magento e-commerce platform used by Casio UK. The cybercriminals deployed the malicious code in two stages. Initially, a basic skimmer was installed on the website, which then triggered the download of a more sophisticated script from a Russian hosting provider. This second-stage skimmer used obfuscation techniques, including custom encoding and XOR-based string concealment, to avoid detection by security systems.
The attack specifically targeted the checkout process. Once customers added items to their cart, the skimmer redirected them to a fake checkout form rather than the legitimate payment page. Although the form did not match the website’s design and could not be activated by clicking the “buy now” button, it still managed to collect sensitive customer data. This included billing addresses, email addresses, phone numbers, credit card holder’s names, credit card numbers, expiration dates, and CVV codes.
After entering their information, victims were shown a fake error message and then redirected back to Casio UK’s legitimate checkout page, where they could complete their purchase.
The malicious form was designed to capture a range of sensitive personal information, which included billing and contact details, as well as full credit card data. Once the information was entered, it was encrypted using AES-256-CBC and sent to an external server linked to a Russian IP address. This data could then be used for fraudulent activities or sold on underground markets.
Security protections found inadequate
Despite the presence of a Content Security Policy (CSP) on the Casio UK website, JSCrambler found that it was not configured to adequately protect against such an attack. The CSP was set to “report-only mode,” meaning it did not actively block the execution of malicious scripts. Instead, any violations were logged only in the browser console.
The attack on Casio UK was part of a wider campaign that affected at least 17 other websites. JSCrambler has not revealed the identities of the other compromised sites, as the company is still working with the affected organisations to remove the malicious code and secure their platforms.
This breach adds to a series of cybersecurity challenges faced by Casio in recent months. In October 2024, the company disclosed a ransomware attack that exposed the personal data of around 8,500 individuals. The Underground ransomware group claimed responsibility for the attack. Additionally, the same month saw another security incident, this time affecting the ClassPad education platform, which serves customers in 149 countries.
Read more: Change Healthcare ransomware attack exposes data of 190 million people
