The SpyEye malware has been connected to a recently discovered attack on customers of two German travel services.
Security firm Trusteer said that it had uncovered versions of the malware attempting to pull data from infected machines on the sites of Air Berlin and AirPlus.
Classified as an HTML injection tool, SpyEye is able to intercept web pages on an infected system and add code into the HTML file before it is displayed to the site visitor.
Trusteer chief technology officer Amit Klein told V3.co.uk that AirPlus log-in pages were being altered to add input boxes requiring information such as credit card number. The information is then collected by the malware and sent to an upload server.
However, Klein said that the more interesting attack was on Air Berlin where the malware was being directed to harvest account information, but the aim of the attack appears to be harvesting frequent flyer miles.
The malware operators are presumably looking to make money from the collected miles, but Klein said that Trusteer is not quite certain how the transactions would take place.
"The attack on Air Berlin is more interesting because it is not directly cash. They still need to convert the miles into cash. It needs more links in the chain," he said.
The attacks are also the first commercial site hacks from a malware family which has until now been focused on the financial sector.
Klein said that the expansion from banks and financial institutions to commercial sites is to be expected from a malware franchise as large and successful as SpyEye.
"Targeting banks directly is one profitable way of exploiting this combination, but it is not mutually exclusive to have other sites targeted," he explained.
"If you can attack multinational sites and turn that into money as well, it is two for the price of one."
Kicking Palantir off of AWS is among their demands, too
Rafaela Vasquez was watching The Voice at the time of the crash, new evidence shows
PUBG price slashed on Steam after selling more than 50 million copies - as daily player numbers plunge
Use the same password for every website? It might be time to change them all