PayPal module hacked

[ezsmoke]

I have been running a Prestashop website for a number of years. A few weeks ago, a customer informed us that when paying by PayPal that they were being redirected to a phishing type website - https://checkoutnow.mdigo.com/store/verif.php which was trying to replicate the official PayPal website. On checking and logging in as a user, we too had same issue as customer. We immediately disabled PayPal, and then updated PayPal module to latest version - PayPal V3.11.16. We then changed admin password for the website, and FTP password and we installed new module Protect My Shop. We also upgraded Prestashop to 1.6.1.18.

All seemed well until last night, when same thing has happened, and when customer tries to checkout using PayPal they get redirected to fake PayPal website. We have again disabled PayPal as payment method.

Anyone else experience something similar or suggest what I can do to fix this major issue.

[joseantgv]

27 minutes ago, ezsmoke said:

I have been running a Prestashop website for a number of years. A few weeks ago, a customer informed us that when paying by PayPal that they were being redirected to a phishing type website - https://checkoutnow.mdigo.com/store/verif.php which was trying to replicate the official PayPal website. On checking and logging in as a user, we too had same issue as customer. We immediately disabled PayPal, and then updated PayPal module to latest version - PayPal V3.11.16. We then changed admin password for the website, and FTP password and we installed new module Protect My Shop. We also upgraded Prestashop to 1.6.1.18.

All seemed well until last night, when same thing has happened, and when customer tries to checkout using PayPal they get redirected to fake PayPal website. We have again disabled PayPal as payment method.

Anyone else experience something similar or suggest what I can do to fix this major issue.

 

Could be that the problem is not within PrestaShop. Do you have a Wordpress in the same server?

[ezsmoke]

Yes, I do have Wordpress on same server. But Wordpress seems to be working OK. Do you recommend I make changes to WordPress?

[joseantgv]

1 minute ago, ezsmoke said:

Yes, I do have Wordpress on same server. But Wordpress seems to be working OK. Do you recommend I make changes to WordPress?

 

Buy maybe they have accessed your server through a Wordpress bug. Is it updated? And all the plugins too?

[ezsmoke]

I will check. It is a very basic Wordpress blog on the same server. But I can strengthen security on WordPress.

[Johann]

I just have the same problem with a customer of mine. I've updated the Paypal module and I'm currently looking for the cause of the problem

Did you found the reason for your cases ? 

[ezsmoke]

1 hour ago, Johann said:

I just have the same problem with a customer of mine. I've updated the Paypal module and I'm currently looking for the cause of the problem

Did you found the reason for your cases ? 

I ended up getting professional help with this.  Although not 100% sure how the site was hacked originally, but people who carried out the work for me on fixing this issue, did find a back door, and removed same as well as removing infected files. All admin usernames / passwords and mysql passwords, ftp password changed and updated Prestashop itself and all modules. So far all seems good again.

[Johann]

Ok ezsmoke, thanks for your return. In my case, for the moment I've just updated the paypal module and that has fixed the problème, but I haven't found the cause yet. This customer planned to migration to another hoster, so all passwords will be changed at this moment