I just finished reading this amazing article of a hypothetical attempt to make the website owners steal your credit card information for the hacker:
I sum it up for you in case you are not a developer:
- Browsers are pretty secure nowadays, its very complicated to target loopholes in them to steal something
- Since (web) developers got pretty lazy and rarely check the source code they take from the internet, it is easy to make them use some source code that includes additional - lets call them - features to steal credit card infos
- There are tools aimed to help the developer (called NPM) dealing with all the sources needed to build a website which automate the whole process of loading and updating dependant source code
- If a hacker can make a software module (which you also use) dependent on his credit card stealing code, NPM will automatically load it into your site and make you collect the credit card info of every user of your site
- Some additional tricks, like only collecting data between 7pm and 7am makes it very hard for the developers to spot this maliciousehavior
TLDR: You can make a developer of a website include malware in his site's code without him noticing. And since it's then part of the application additional malware checks will mostly fail. And all this is easy enough that you should be scared to enter your credit card info anywhere on the internet.
Although all this is purely hypothetical, it is perfectly possible and the amount of work needed for this is relatively low, if you compare it to the potential earnings.
We can only hope that no one already implemented this strategy in real life.