Hackers Target Caritas Charity Sites

A cyberattack hit 17 websites of Caritas Spain, a major Catholic charity, compromising donor card data for more than a year without detection.

The attackers used a method called web skimming, where malicious code is inserted into a website to steal sensitive information from users. In this case, the skimmer created a fake donation form that mimicked the real one and silently captured personal and payment data including names, addresses, card numbers, CVV, and more.

“This campaign reinforces a broader trend that has been observed: web skimming infections are increasingly driven by modular kits,” researchers at Jscrambler who flagged the hack wrote. These kits allow hackers to easily mix different tools and channels to deliver and collect stolen data.

The researchers say that the infected websites were all powered by WooCommerce, a popular plugin for online payments on WordPress. The attack had two parts: first, a tiny piece of hidden code was injected into the site’s homepage to contact the hackers’ server.

Then, the second-stage script added a fake “Continue” button over the real one. Once users clicked it, they were shown a counterfeit online payment form, designed to look like the official gateway from Santander bank.

After capturing the data, the form briefly showed a loading spinner before redirecting the donor to the legitimate payment site, making the scam harder to notice.

“It’s especially concerning given the target,” Jscrambler noted. “Caritas is a non-profit dedicated to helping vulnerable communities. Still, attackers were happy to keep their skimming operation going […] for over a year.”

The infection was first discovered on March 16, 2025, and the affected websites were eventually taken offline for maintenance in early April after Jscrambler reached out.

By April 11, the malicious code was finally removed. However, the hackers had shifted tactics in the meantime, altering the script to avoid detection.

Researchers also found signs that this group targeted other websites too, using over 60 fake domains to distribute and collect data. Many of these were hosted under the same IP, pointing to a centralized setup. Jscrambler reports that Caritas has not released an official statement about the breach.