After getting into Magento backend with a stolen (brute-forced) password or via one of known vulnerabilities on unpatched Magento shop, skimmers inject the following piece of HTML into header or footer:
Reported to Google a few months ago, it is finally getting banned in browsers in late August 2018 and now skimmers replacing
Note: The malware adds backdoor into
cron.phpfile to re-inject own code if it is removed.
Make sure that your store is well patched, admin backend is hidden, you know all admin users listed at System > Permissions > Users in your Magento backend and all of them have a strong password set.