Jump to content

Fraud Alert!


Guest

Recommended Posts

We have prestashop 1.4 and Paypal module 2.8.2

 

Somehow someone has managed to hack the module credentials so they have modified the email address, username and password for the API settings to redirect the funds to their account rather than ours

 

Luckily this has only affected two orders

 

I have NO idea how this can happen. We will obviously change all our passwords etc

 

But just in case it is some kind of bot attach please all do keep an eye on your settings

 

Really wish there was a way we could check back office access logs for prestashop :(

Edited by Guest (see edit history)
Link to comment
Share on other sites

thats horrible...

 

It is always wise to keep everything updated....

other wise you will do what the Govt does..

 

Patch and go...patch and go...

 

maybe the entire API needs to be encrypted once the api is setup...

 

better yet, there needs to be a notification system in place in the event

any presta files are hacked or changed that will notify the owner to

say exactly what has been changed such as api settings.

 

maybe encryption and notification, no need to take chances....

 

its ironic, they could not hack a paypal account to take money, so

they end up hacking the store to reroute funds to their paypal....

 

how did you find this out? did a customer complain that they

paid you, and did not hear from you?

Edited by dsimms (see edit history)
Link to comment
Share on other sites

Ok, this does not mean that Prestashop was compromised. Your hosting account could have been hacked and those settings changed through the database.

 

Your best line of defense is to change all of the password and the user name on the hosting account. More than likely, if you are using cpanel, the user name is the first 8 letters in your domain name.

 

Get with your web host and try to get the access logs and see if they logged in through the control panel or through prestashop.

Link to comment
Share on other sites

You are right, it could have very well been the host...

I wonder who is his host, may not have good security...

 

either way it should not be hard to narrow down, it was either the cart, or the host..

 

Ok, this does not mean that Prestashop was compromised. Your hosting account could have been hacked and those settings changed through the database.

 

Your best line of defense is to change all of the password and the user name on the hosting account. More than likely, if you are using cpanel, the user name is the first 8 letters in your domain name.

 

Get with your web host and try to get the access logs and see if they logged in through the control panel or through prestashop.

Link to comment
Share on other sites

If the api was hacked before it got sent to paypal, then it really does not

matter how secure paypal is...

 

Paypal is designed not be jacked during transmit, has nothing to do before

the transmit begins...so if his files were hacked, then paypal was just doing

its job of sending the transmission through as if it was following orders...

so basically the hacker changed the orders before hand, and paypal

just sent it through as normal, but it was just dropped into the hackers account.

 

the bottom line is, we really dont know what happened, for all we know,

the op had a friend or coder roaming around with his login info, so it

could be a number of things, presta could have been hacked, his host

could have been hacked, maybe a friend/coder did it. I suspect when

something like this happens, it was someone he knows that had access.

 

are there any more reports of this happening...

If not, then it was most likely someone he knew w/access....

 

I have done a lot of looking and testing with the payment modules and the paypal one is the the most secure in my opinion.

Edited by dsimms (see edit history)
Link to comment
Share on other sites

The api is not what would have been hacked. It uses a get request to paypal to send payments. More than likely what happened was the cpanel account was hacked and the values were changed in the database. Someone could have also guessed the password for the admin account of the shop and gotten access that way.

 

One thing I learned from Tomerg3, which is great for security, is to use a htaccess user and password on your back office page. Then you have two usernames and passwords to access your back office.

Link to comment
Share on other sites

When I said api that was what I was referring too, one way or another they

was able to get access in order to change the file; I guess at this point

encryption would have not done any good, but a file change notify system

would have sent an email to the owner saying which was were changed,

what time, and any other info to tag to it such as ip info, etc...

 

The api is not what would have been hacked. It uses a get request to paypal to send payments. More than likely what happened was the cpanel account was hacked and the values were changed in the database. Someone could have also guessed the password for the admin account of the shop and gotten access that way.

 

One thing I learned from Tomerg3, which is great for security, is to use a htaccess user and password on your back office page. Then you have two usernames and passwords to access your back office.

Link to comment
Share on other sites

With paypal there is not really a file to change, it would be more like accessing the database and changing the values in it. If they were to change a file, they would basically have to rewrite the whole paypal module not not access the values in the database.

Link to comment
Share on other sites

Thanks for the input. I had not thought of the database directly being accessed. We are with 1&1 so i will check that out now.

 

I only spotted it because I keep a close eye on orders. The status of the order said "Awaiting PayPal payment" so I initially just assumed that because of the time of year, PayPal was having a bit of a lag

 

When the second order was also like that after a couple of orders I went into our PayPal account and saw that the transaction was not there - that was when alarm bells rang

 

So i contacted the customers who forwarded the PayPal confirmatione mails to me and it showed that the funds were going to a different PayPal user

 

Name and shame of course "[email protected]"

 

So i then chekced our PayPal module and the rest followed from there

Edited by Guest (see edit history)
Link to comment
Share on other sites

I think you know what I mean; either something was hacked, or someone with access made changes,

either way, something was changed/edited so when paypal processed, it just forwarded the funds

thinking it was the correct paypal to send the funds too, and obviously it was not...

 

With paypal there is not really a file to change, it would be more like accessing the database and changing the values in it. If they were to change a file, they would basically have to rewrite the whole paypal module not not access the values in the database.

Link to comment
Share on other sites

I hope you contacted paypal, and explain to them what is going on...

maybe they will suspend the account attached to that email, maybe they wont....

also have your two clients do a dispute, and have them explain the

issue with paypal also...maybe that will help, maybe it wont...

 

paypal is known to work with bad guys, even

when they know they are dealing with the bad guys....

 

 

Thanks for the input. I had not thought of the database directly being accessed. We are with 1&1 so i will check that out now.

 

I only spotted it because I keep a close eye on orders. The status of the order said "Awaiting PayPal payment" so I initially just assumed that because of the time of year, PayPal was having a bit of a lag

 

When the second order was also like that after a couple of orders I went into our PayPal account and saw that the transaction was not there - that was when alarm bells rang

 

So i contacted the customers who forwarded the PayPal confirmatione mails to me and it showed that the funds were going to a different PayPal user

 

Name and shame of course "[email protected]"

 

So i then chekced our PayPal module and the rest followed from there

Edited by dsimms (see edit history)
Link to comment
Share on other sites

  • 5 years later...

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...