09 Aug, 2021

eCommerce Cybersecurity: How to Protect PrestaShop Sites from Credit Card Skimming Malware

PrestaShop is a popular eCommerce website builder, but what if it's vulnerable to malware attacks? eCommerce cybersecurity matters and here's how to protect PrestaShop sites from credit card skimming malware.
Many eCommerce sites use some sort of eCommerce website builder. This tool helps site owners set up their sites, manage content, and monitor eCommerce cybersecurity. But what happens when one of these eCommerce website builders has a security issue of its own? This can have a cascading effect on site owners using that vendor to build their site or operate their online store.

PrestaShop is one of the most popular eCommerce website builders online. Like all other eCommerce systems, they consistently find themselves as the target of malware attacks. To protect eCommerce sites from malware, it's important to understand how these malware attacks work, or at the very least, partner with an eCommerce cybersecurity provider who does.

Last week, a PrestaShop business owner contacted us to claim the site redirected its visitors to a third-party location, skimming the site for its visitors' credit card information. We took a closer look at the attack to see what it meant for PrestaShop business owners and what actions can be taken to protect Prestashop websites from malware.
Details on the Infection
Here's how the infection worked: once a site finds itself under attack and infected, the malware digs in and gets to work. The attack injects the site with a malicious script. This impact extends beyond just the originally affected page. All loaded webpages of the infected website feature this injected script. That means that anyone interacting with any aspect of the infected site, no matter the page, is at risk of further infection.

Quttera reviewed the attack to see if we could determine any additional details and a possible solution.
Our Analysis of the Attack
The infection was found in the following location: public_html/classes/controller/Controller.php.
Here's the messaging included on the PrestaShop website:

"The Controller manages the synchronization events between the View and the Model and keeps them up to date. It receives all the user events and triggers the actions to perform."

We performed our own analysis of the malicious code, and we discovered the code is hidden within "base64decode" in line 532. It's in the "smartyOutputContent()" function.

The malware injects the code by adding it to the script on the variable $html containing the context for the webpage template.
Using the site https://malwaredecoder.com, we performed a deobfuscation of the JavaScript file. The deobfuscated version we produced is for the HTML form tasked with gathering the credit card details of customers visiting the site.
An Overview of the Cleanup Process
Once we identified the code, we went about removing it. Before removing it altogether, we referenced the PrestaShop GitHub page. Here, we checked the original Controller.php, verifying that the other code depends on this code so that the website doesn't crash. This used version 1.6.

From here, we removed the malicious code, but once we did, the website stopped working. We attributed this to the caching of PrestaShop. Once we established this, we deleted the file " /cache/class_index.php" and after that, the site was up and running functionally.

After the removal was complete, we met with the customer to review what had happened and recommend a path forward. We advised them to change their credentials once the cleanup was complete. This is a preventative measure in case any of the attackers still possess their old credentials. This is typically the best short-term measure to take following an attack, though there are plenty of other security measures you can implement using the right website security platform. Lastly, we enabled our DNS-based web application firewall for this PrestaShop site to protect it against any future attacks.
How to Best Protect Your Site
In this particular scenario, we were able to identify and diagnose the issue for the customer, offering a fix. You might be wondering how you could have access to proactive services such as this in the event of a malware attack. You'll want to have measures in place to stop something like this from happening to your PrestaShop site - or your site with any other affected eCommerce website builder, for that matter.

We have a set of tools that can help you engage in optimal website protection. Quttera has a web malware protection platform called ThreatSign. This online tool provides you with a comprehensive suite of web security protection tools, safeguarding your website from hackers. Some of the features include:

  • Uptime monitoring. When an attack occurs, it may bring your site down. This kind of outage can cost you money as you lose visitors, customers, and overall user trust in your website. With uptime monitoring, we regularly check to see if your site is fully functioning and available.
  • External malware monitoring. Malware attacks from outside websites can pose a serious threat to your system. Our external malware monitoring system regularly checks for these threats to see if any external sites are having a negative impact.
  • Internal malware monitoring. Other outside websites aren't the only ones you'll want to maintain situational awareness of. Our internal monitoring capabilities provide you with the opportunity to regularly review your own site's infrastructure to ensure no successful attacks have occurred. If there's a malware attack on your site, you may not notice it until it's too late. Our monitoring services will help catch disruptions quickly.
  • Web application firewall. What do you have in place to stop malicious visitors knocking at your website's online door? Our web application firewall's aim is simple: block these attackers and/or requests from accessing your site. That way, your site remains operational, clearing the flow of traffic for legitimate users to access the site without disruption.
  • Malware cleanup. If an attack is successful, you'll want to be able to fix it quickly and move on. Our malware cleanup capabilities enable you to find and remove the problem with speed and efficiency, minimizing service interruptions.
If you want to adequately protect Prestashop websites from malware, you have to take eCommerce cybersecurity seriously. You can do that by partnering with Quttera. We offer a comprehensive suite of eCommerce cybersecurity solutions intended to keep attackers away and keep your site traffic flowing. With Quttera's services, you'll be able to protect yourself from or mitigate the impact of any attacks.

For more on how Quttera's ThreatSign platform can upgrade your site's eCommerce cybersecurity, contact us today.