Hackers have installed skimming scripts on more than 6000 online stores and are adding 85 each day in a wide-scale active operation that may have compromised hundreds of thousands of credit cards.

Dutch developer Willem de Groot found the malware infecting stores running vulnerable versions of the Magento ecommerce platform.

Attackers uploaded scripts which would capture and ship credit cards from online shops to Russia-based command and control servers.

The US National Republican Senatorial Committee is the most high profile scalp the campaign after an unknown number of credit cards were stolen from supporters buying merchandise and offering donations through its online store.

The Committee did not answer questions by The Register on remedial actions it had taken nor whether it could guarantee customer credit cards were safe.

De Groot told this publication the attack spanned the six months from March and reckons in an "educated guess" that some 21,000 credit cards would likely have been skimmed.

He cites traffic statistics that show the online shop address store.nrsc.org received 340,800 vistiors last month, and says a "conservative conversion ratio" of 1 percent yields 3500 stolen credit cards per month.

De Groot says the Committee removed the skimming scripts after he reported the compromise in August, but adds it did not reply to his disclosure.

The developer has inked a list of likely affected sites detected in scans for the malicious scripts.

Some 170 new stores appear to have been breached since El Reg contacted de Groot overnight.

It includes thousands of businesses and government organisations allegedly compromised since the attacks began in May last year.

"Given that there are [about] 5900 other skimmed stores, and the malpractice has been going on since at least May last year, I would expect the number of stolen cards in the hundreds of thousands," De Grott says.

In Australia and New Zealand, some 267 businesses including NickScali and Barbeques Galore have been allegedly breached, along with local sites of Converse and luggage company American Tourister.

The US Franklin Institute and National History Museum appear on the breach list, along with scores of smaller stores from the UK and elsewhere around the world.

Large retailers appear unaffected.

De Groot says the current wave of attacks have become more stealthy in what may indicate new attackers have begun targeting shops.

The developer has warned some of the growing list of affected shops, but many remain actively breached with credit cards shipping off to attackers' servers.

Some of the retailers appear unworried by the attacks. "I contacted a couple (of stores), but I mostly got back 'thanks, but we are safe, no worries', or 'we are safe because we use https;', or 'we are safe because we have the Symantec security seal'," De Groot says.

"Those security seals aren't worth much, apparently."

Shops appear to be targeted through at least one since-patched bug reported in April last year then affecting 88,000 stores. The critical remote code execution vector granted access to credit cards and the ability to write 100 percent discount coupons.

De Groot has found some nine variations of the malicious scripts, and has uploaded some malware samples for analysis.

Some employ multiple levels of obfuscation, making analysis difficult, and mark their code as UPS delivery data in a bid to disguise the attacks from admins. ®