Online shoppers are at a growing risk from a scam which allows hackers to skim their payment details, cyber security firm Symantec warned on Wednesday.
"Formjacking" is essentially an online version of ATM tampering, which allows thieves to grab the PIN codes of unsuspecting customers.
On the internet, hackers inject malicious code into retailers' websites to steal customers' payment details when they conclude a transaction, Symantec said in its annual report on cyber security.
Cyber criminals heisted tens of millions of dollars last year thanks to the scheme which targets 4,800 websites every month, it added.
Hackers stole payment details from thousands of British Airways customers in an attack last year.
Formjacking has become a more lucrative option for cyber criminals as the value of cryptocurrency declines, Symantec said.
"Faced with diminishing returns from ransomware and cryptojacking, cyber criminals are doubling down on alternative methods, such as formjacking, to make money," it said.
Cryptojacking attacks steal from cryptocurrency exchanges and ransomware attacks take over computers of businesses and individuals to ransom them for money.
Symantec said it blocked more than 3.7 million formjacking attacks last year.