Lots of people know to check ATMs and gas station credit card readers for skimmers, but it’s harder to tell when virtual ones are hidden them in websites’ payment portals. According to research from Malwarebytes, hackers put Magecart JavaScript code into the EXIF metadata of image files, which is then loaded and executed by compromised stores. Hiding malicious code inside of images is nothing new, but it’s the first time security researchers have seen them used to obscure credit card skimmers.

A recent trend among hackers has been to hide malicious code in favicons — those icons you see in the corner of a browser tab. Malwarebytes says that it first assumed the exploit it was researching was a variation on this type of attack, but further analysis revealed it was something else entirely. The company found that the malicious code was loaded via the WooCommerce plugin for WordPress. This is an increasingly popular target among hackers, thanks to its wide market share. When loaded, it grabs payment information, such as the customer’s name, address and credit card details.

The technique, known as Magecart, has grown in popularity among hackers for its mix of relative simplicity and effectiveness. They don’t have to do much more than insert rogue scripts (pointed to remote command-and-control servers) and wait for people to go shopping. From there, they can use the info to make fraudulent purchases, make clone cards and sell the data on the black market.

Don’t expect these kinds of attacks to subside any time soon. They’ve been used against numerous major brands, including British Airways, Newegg and Ticketmaster. Until online stores are airtight against techniques like Magecart, they’ll be tempting targets.

The perpetrators appear to be unique among Magecart-using groups at this stage. They not only don’t share much in common with other groups, they crafted their attack specifically with PrismRBS’ software in mind. There might even be a custom receiver system instead of a ready-made skimming kit popular among cybercriminals.

PrismRBS said it had learned of the breach on April 26th and “immediately” reacted, including efforts to stop the attack, launch an investigation and contact customers as well as law enforcement and payment card providers. It’s promising to bolster the security of its platform and conduct a “comprehensive end-to-end audit.”

There are tools that can block the scripts and the internet domains used for remote data theft. The challenge, as is often the case, is getting companies to adopt. Even if their payment software is up to date, they might not be aware of the possibility for card skimming hacks or have security tools to thwart them. And when the attacks can be highly effective, there’s plenty of incentive for crooks to find these soft targets.