"I'm not gonna buy anything online," is the straight-up statement from a security researcher as criminals ramp up their efforts to hack as many web stores as possible ahead of the holiday shopping season.

Over the past few years, security researcher Willem de Groot has found thousands of hacked sites that use the Magento e-commerce platform that was owned by eBay and which was sold to private equity firm Permira in 2015.

Despite contacting the sites, and plenty of publicity around compromised stores running malicious code, the problem is getting worse.

Many site owners, operators and their hosting services fail to apply security patches and updates to their digital shopping carts. This allows criminals to add credit card skimming and personal information stealing code to the sites, putting customers at risk of fraud on a massive scale.


The issue affects New Zealand operators as well. De Groot compiled a list of 24 compromised online stores with links in the .nz domain space and sent it to NZ Herald.

A similar list of hacked shops with .au domains was ten times the size. There are New Zealand site operators using other top level domains than .nz such as .com, the problem is likely to be much larger.

"I started tracking web skimmers in 2015 and I've recently identified the 40.000th store that leaks payment and customer data," de Groot said.

"Unfortunately there's not much that a consumer can do, actually. Vote for a government that penalises stores with sloppy privacy. In any case, the free market won't fix it.

Myself, I don't shop online anymore, or use a fake name when I absolutely have to. And if possible, enable 2FA [two-factor authentication] on your credit card," he advised.

Vulnerable stores are easily found by criminals which use automated scans of the internet for them.

Anyone can be hit: the Australian branch of the United Nations Children's Emergency Fund (UNICEF) charity left a shop subdomain pointing to an unused e-commerce store which ended up being hacked.

UNICEF Australia was contacted by the Herald about the hack, and spokesperson Charlotte Glennie said the organisation quickly fixed the issue.


Little interest in security from local store operators

NZ Herald contacted the .nz stores on the list asking if they were aware that they had been compromised, and if they intended to secure the shops - and if they had received customer complaints about unauthorised credit card charges.

Only three stores responded, saying they had not received complaints from customers.

One store operator said "to be honest, we don't really run many sales through the site, but your email is very worrying has been forwarded to the web developers for comment.'

Not cleaning up the malware infection could see online stores being blacklisted in web browsers.

Google's Chrome which is the world's most popular web browser will put up an interstitial page when malware-infested sites are detected, and prevent access to these to protect users. Three of the sites in the list were blocked.

CERT NZ weighs in

Senior incident manager of the government's New Zealand Computer Emergency Response Team (CERT NZ) Erica Anderson said the cyber security organisation regularly receives reports about websites that have been compromised, or are affected by site vulnerabilities.

"Just like the devices we use every day, the platforms and plugins that business use on their websites need to be looked after to protect both the site owner and the customers that use the site," Anderson said.

"This includes keeping all of the site components, like content management systems and shopping cart functionality, patched and up to date.

For more information on keeping business websites safe, there is information available on www.cert.govt.nz.

If people are taking advantage of online deals over the weekend, there is also advice for consumers to stay safe when shopping online.

"If you find an issue with your website, report it to CERT NZ www.cert.govt.nz," she added.

The NZ Herald has shared the list of hacked .nz stores with CERT NZ which requested that the sites aren't named while the cyber security organisation contacts the operators.