Here is a recording made this morning of a demo transaction on a live website with the browser showing the background website activity in the browser.
Here's the breakdown of what actions our "buyer" made:
Live website on the left, developer tools view on the right showing website background activity.
0:04 - Buyer enters name, credit card number, expiry date and CVV number.
0:14 - Buyer checks the order and at the same time, network activity shows customer data being captured and sent directly out to the attacker via email (partially obfuscated to protect identity of hacked website).
0:19 - Buyer's credit card number harvested, along with name and address.
0.24 - Buyer's CVV number is harvested.
The buyer's personal data and payment card data is STOLEN before the buyer clicks "Order and Pay Duty".
And that's it - simple and highly effective theft.
This is affecting MANY Magento websites - is yours affected?