The international Caritas Catholic charities organization in Spain had more than a dozen of its online donation websites targeted by hackers in a year-long web skimming campaign, new research revealed on Wednesday.
At least 17 Caritas Spain websites of Caritas Internationalis had been infiltrated in the web skimming campaign, according to a new blog published on Wednesday by Jscrambler, a cybersecurity firm specializing in client-side protections.
Jscrambler traced the initial campaign back to February 2024, although it was only first discovered last month, on March 16th.
Caritas was informed of the infection on April 4th, with the skimmers completely removed from the organization's networks by April 11th. Unfortunately, the researchers could not confirm the threat actors behind the campaign were also booted from the system, and noted they could still retain access.
In web skimming attacks, malicious code is injected into the payment pages of an e-commerce site, allowing threat actors to exfiltrate the payment information a victim has entered into the now hacker-controlled fake payment site.
The researchers said that all the compromised websites had been running a popular e-commerce plugin for WordPress, known as WooCommerce. They further observed most were hosted by the same IP address, indicating the websites were sharing a centralized management infrastructure.
The research also found that the attacks happened in “two distinct stages, carefully designed to remain undetected while intercepting sensitive payment data.”
“When someone visits a website solely to make a donation to a charitable cause and their cardholder data is stolen in the process, it feels especially disheartening,” Jscrambler said.
“Web skimming is a threat that transcends organization size, mission, or industry. Threat actors don’t discriminate — if a website processes cardholder data, it’s a viable target,” it said.
Complete payment card info compromised
Established in 1947, Caritas España is the Catholic Church’s official humanitarian relief organization in Spain and part of the larger Caritas charity network, which operates 160 organizations across all seven continents.
With at least 70 diocesan offices and more than 6,000 local “parish Caritas” spread across the nation, in 2022, Caritas España reported over $7.4 million in contributions, membership fees, and other income, its website states.
The research blog shows the victim’s financial payment information was fully exposed to the hackers, including:
- Cardholder’s name
- Payment card number
- Expiration date
- CVV security number
- DNI number (Spain’s National Identity Card)
Hackers were also able to get their hands on a plethora of personally identifiable information (PII), including the cardholder's first and last name, email address, full mailing address, and phone number, as well as information on the specific browser (user agent) the victim had used to visit the sites.
This could leave tens of thousands of victims open to targeted phishing attacks and identity theft.
How it worked
The first loader stage served as the groundwork for the Caritas attack, while stage two held the skimmer logic itself, injected a fake payment form, and exfiltrated sensitive data, researchers observed.
Jscrambler said the Stage 1 loader “was injected as a one-liner at the bottom of the minified WooCommerce JavaScript which runs on the homepage.”
Once loaded, the second-stage script would monitor for the victim to choose a payment method.
Once chosen, a fake “submit” button would appear, obscuring the real one. After the submit button was clicked, a fake payment form appeared for the victim to input their card details.
The research said the fake payment form looked almost identical to the real one hiding underneath.
Once the payment form was submitted, the victim was then redirected back to the legitimate payment service provider site to complete the transaction.
“Over time, it was observed that different scripts were being infected, multiple skimming techniques were deployed, and there were periods of dormancy,” the researchers said.
“These signs strongly suggest that the threat actors had persistent access to the WooCommerce environments, allowing them to reintroduce or modify the skimming code at will, shift infection points, and rotate infrastructure domains as needed,” they said. `
Using a decoy credit card to track the skimming transaction, the researchers believe that the hackers employed automation to validate the credit card accounts within minutes of capturing them.
The Jscrambler research team also found, besides Caritas, the threat actor was hosting 61 other websites on the same IP address, leading to the discovery of several other targeted websites, many also connected to the hacker's command and control server (CC).
Your email address will not be published. Required fields are markedmarked