Customers buying goods and services online risk having their credit card details skimmed and transmitted to unknown criminals in Russia through thousands of hacked Magento stores worldwide.
Some 267 vulnerable Australian and New Zealand Magento stores were found by de Groot, who has set up the Magereport site, providing a free check to see if the latest patches are installed for the popular e-commerce platform.
The Australian sites range from online retail shops to art galleries and not-for-profit organisations. iTnews contacted a sample of operators, asking if they were aware of the issue and if they intended to address it.
Most of those contacted did not respond, but Bart Nanka, who manages an online Queensland organic herbs retailer, said the company's development team patched the site after being notified by iTnews of the issue.
Some Australian sites on de Groot's list are blocked by Google's Safe Browsing feature, used in Chrome and other browsers to warn users of malware.
The card skimming occurs without customer interaction or notification. De Groot said the skimming incidents have been taking place since November 2015, thanks to site operators being slow to patch their stores for Magento vulnerabilities.
A conservative calculation of visitors to the Republicans site placed the number of stolen cards at 21,000 since March this year. At US$30 per card, the criminals would have made US$600,000 or thereabouts from the Republicans site alone, de Groot said.
De Groot counted 3501 vulnerable sites in November 2015, but in September this year, the number was 5925, an increase of 69 percent.
Worldwide, governments, pop stars, car makers, fashion retailers and non-government organisations all run vulnerable sites that are skimming visitors' credit card details, de Groot said.
The malware authors have evolved their code since last year with multi-layer obfuscation to make it harder to detect, and better algorithms to capture payments pages and providers such as Paypal.
He warned that apart from being blocked by Google, sites that serve up the card skimming malware could be penalised by issuers such as MasterCard and Visa.