ECPAT NZ is an NGO set up three years ago in association with a campaign to highlight issues of tourism and child sexual exploitation.
Its tourism web site has been mass injected in an attempt to deliver malicious payloads from 20 different hosts.
Websense Security Labs ThreatSeeker Network discovered the infection. Websense says it is working closely with ECPAT to advise on the threats.
ECPAT national director Alan Bell says the site has been closed and he is awaiting a report from the administrator.
“We’ve been told by our host that this is possibly a larger issue we have been caught up in,” he says.
ECPAT’s home page has not been affected.
The tourism site allows people who have witnessed sexual abuse of children to report it for follow-up by the authorities.
ECPAT is part of a global network operating in 70 countries. The secretariat is in Bangkok.
Correction: This article originally said the ECPAT site was hosted by the ISP Watchdog. Watchdog says it supports the site, but does not host it.