Research has found that almost 6,000 online stores are unknowingly harbouring malicious code, put there by hackers, that is stealing the credit card details of customers.
Researchers scanned sites for the specific signature of the data-stealing code in website software, and found that 5,925 online retails sites had been compromised.
The hack works by attackers injecting a short chunk of obfuscated code that copies credit card and other payment information.
Results from the research found that some of the stolen data was sent to servers based in Russia, and that stolen financial details were being sold on dark web markets at a rate of about $30 (£25) per card..
The study also found nine different types of the skimming code, which suggest that several crime groups were involved.
The list of compromised sites has been published, prompting some of the affected stores to update their code and solve the problem.
Researchers advised that the problem could be prevented if store owners regularly upgraded their software, and consumers could prevent themselves being affected by only entering their payment details on sites of known payment providers such as Paypal.