Cybercriminals are harvesting personal information including payment card details in what Malwarebytes researcher Jerome Segura described as “the online equivalent of ATM card skimming.”

Threat actors are hosting Magecart skimmers on GitHug in attacks to steal data from hundreds of e-commerce sites.

While skimming code is normally stored on infrastructure controlled by the attackers, researchers have observed threat actors creating thousands of domain names mimicking the most targeted CMS platform, Magento, according to an April 26 blog post.

The threat actor appears to be testing and fine tuning the skimmer. Similar to other third-party plugins, compromised Magento sites are loading the script within their source code right after the CDATA script and/or right before the </html> tag and there are currently over 200 sites that have been injected with this skimmer.

To make matters worse the Magento sites will remain at risk even if the GitHub-hosted skimmer is taken downs and attackers will be able to easily re-infect them in the same manner.

Researchers have also noticed threat actors abusing repositories such as GitHub and other resources of legitimate providers as well.

“It is critical for e-commerce site owners to keep their CMS and its plugins up-to-date, as well as using secure authentication methods,” Segura said in the report. “Over the past year, we have identified thousands of sites that are hacked and posing a risk for online shoppers.”

Researchers have also noticed threat actors abusing repositories such as GitHub and other resources of legitimate providers as well.