Cybernews reports that Caritas Internationalis, the Catholic Church's official charity organization, had at least 17 websites of its Spanish arm compromised as part of a web skimmer campaign that commenced in February 2024.
Attacks involving the injection of an initial stage loader below the homepage's minified WooCommerce JavaScript, as well as a second-stage script that tracked payment method selection, exposed individuals' names, birthdates, mailing addresses, email addresses, and phone numbers, as well as payment card numbers, expiration dates, CVV numbers, and national identity card numbers, according to a report from cybersecurity firm Jscrambler. Further analysis showed not only the compromise of various scripts but also the utilization of several skimming approaches as part of the campaign. "These signs strongly suggest that the threat actors had persistent access to the WooCommerce environments, allowing them to reintroduce or modify the skimming code at will, shift infection points, and rotate infrastructure domains as needed," said researchers, who noted that attackers could still have retained access to the sites despite the removal of skimmers in the sites earlier this month.
Attacks involving the injection of an initial stage loader below the homepage's minified WooCommerce JavaScript, as well as a second-stage script that tracked payment method selection, exposed individuals' names, birthdates, mailing addresses, email addresses, and phone numbers, as well as payment card numbers, expiration dates, CVV numbers, and national identity card numbers, according to a report from cybersecurity firm Jscrambler. Further analysis showed not only the compromise of various scripts but also the utilization of several skimming approaches as part of the campaign. "These signs strongly suggest that the threat actors had persistent access to the WooCommerce environments, allowing them to reintroduce or modify the skimming code at will, shift infection points, and rotate infrastructure domains as needed," said researchers, who noted that attackers could still have retained access to the sites despite the removal of skimmers in the sites earlier this month.
