Crooks have injected malicious code into 5925 online stores, enabling them to steal payment card details, according to a Dutch developer.
Willem De Groot says that hackers have been gaining access to the stores' source code using unpatched software flaws, and installing JavaScript wiretaps to steal card data. The information makes its way to an off-shore collection server - usually in Russia, says De Groot - before being put up for sale on the dark web for around $30 a card.
De Groot scanned a batch of 255,000 online stores last November, when he first heard about the scam. At the time he found 3501 compromised sites but by this September the number of victims had risen to 5925 and included Audi, pop star Bjork and Washington Cathedral.
Separately, fashion retailer Vera Bradley says that it has been told by law enforcement about a data breach that puts customer card details at risk. Cards used at the firm's shops between the end of July and end of September may have been affected.
Crooks appear to have accessed Vera Bradley's payment processing system and installed a program designed to find card numbers, cardholder names, expiration dates, and internal verification codes via mag stripes.