Thousands of websites are being hit by cyber-thieves who implant code to scoop up payment card numbers, research suggests.
Security giant Symantec found more than 4,800 websites were being hit by these "form-jacking" attacks every month.
High-profile victims of these attacks include airline BA and Ticketmaster.
Online crime groups had turned to the attacks as other more established techniques proved less and less lucrative, Symantec said.
'Attack code'
"It's a sign we're in a world where security is tighter and tighter and it's getting harder to carry out this type of activity," said Orla Cox, director of Symantec's security response unit.
Formerly profitable ventures involving ransomware and mining crypto-currencies now made gangs much less money, she said.
Instead, they were now inserting "attack code", either when sites failed to update core software to close loopholes or via insecure third-party apps, such as chat apps, analytics packages or other extras.
"It's a tiny line of code in there and that's enough for attackers to monitor payment card info being entered and they siphon it off," she said.
"Its often not obvious that the website has been compromised.
"To the naked eye everything would look fine."
Make money
Last year, Symantec had stopped more than 3.7 million form-jacking attacks, said Ms Cox, adding that the figure was a measure of the technique's sudden popularity.
"Cyber-criminals are continuing to find new ways to make money," she said. "And when they do, they pile in."
Ransomware was also still widely used, said Ms Cox, but better back-up practices by businesses and home users meant it was harder for criminals to secure a payday. And infections from ransomware had fallen by 20% over the past year.
"In a lot of cases people are not paying up because its got easier for them to get their data back as they often have it in the cloud somewhere," she said.