The website that has this flagged many times: https://urlquery.net/report/530dfcef-f2a4-4bfd-a98f-8af0eb16569d
See the problematic code flagged as 1 → /js/lib/ccard.js → https://aw-snap.info/file-viewer/?protocol=not-secure&tgt=safety.btcgroup.ru%2Fkamuflyazh%2Fkostumy%2F&ref_sel=GSP2&ua_sel=ff&fs=1

Read about it here: http://labs.sucuri.net/?note=2016-06-30
and https://www.foregenix.com/blog/credit-card-hijack-magento-javascript-alert

Only one to detect? https://www.virustotal.com/nl/url/2c209f13687d8a692fe5f9c19b3814e1f8050cea6843be30af17fe81f20f4851/analysis/1510414423/

Flagged: https://sitecheck.sucuri.net/results/safety.btcgroup.ru
F-grade status and recommendations: https://observatory.mozilla.org/analyze.html?host=safety.btcgroup.ru

ISSUE DETECTED DEFINITION INFECTED URL Website Malware MW:JS:GEN2?malware.magento_shoplift.002.02 htxp://safety.btcgroup.ru/js/lib/ccard.js ( View Payload ) Known javascript malware. Details: http://sucuri.net/malware/entry/MW:JS:GEN2?malware.magento_shoplift.002.02 ////if((new RegExp('onepage|onestepcheckout|firecheckout|///////onestepquickcheckout|simplecheckout|checkout'))////.test(window.location)) /////{

Also a PHISH → identity threat on: -Location: hxtp://safety.btcgroup.ru/js/2017.htm

Detection fully missed here:
https://quttera.com/detailed_report/safety.btcgroup.ru

polonus (volunteer website security analyst and website error-hunter)

An earlier analysis of the type of malware here: -htxps://www.reverse.it/sample/907cb9fbeac5e0d6c3c73376d00f9ee72b8a9dee883258f293b8df2eb4974d57?environmentId=100

Made the link not-click-through as it is only for researchers (pol).

And a later one: -https://www.reverse.it/sample/71efc700b9091f1449e2c952536cf7281aded3a30a96e44be5d06e606e2904bd?environmentId=100 (same here, pol).

polonus